Sports retail giant Decathlon leaks 123 million customer and employee records

Decathlon, the world’s largest sporting goods retailer, has suffered a massive data breach, affecting 123 million customer and employee records.

Cyber security researchers at vpnMentor found a leaky database on a publicly accessible Elasticsearch server. It contained information from the retailer’s Spanish businesses and potentially its UK stores.

Employees’ names, addresses, usernames, passwords, social security numbers, phone numbers and dates of birth were all affected.

Customers’ email addresses and login information were also compromised.

Decathlon has now secured the database, after becoming aware of the breach last week. However, it’s not known how long the information was exposed and whether any malicious individuals accessed it.

What’s at risk?

The team at vpnMentor said the leaked database was “a veritable treasure trove” of data that contains “everything that a malicious hacker would, in theory, need to take over accounts and gain access to private and even proprietary information”.

For example, they could use administrator login details to conduct corporate espionage or use email addresses and other details to send phishing emails to customers and employees.

The researchers even suggested that some employees could be in physical danger.

“Employees’ positions and work locations are spread throughout this database, as well as their own physical home addresses.

“This could lead to disgruntled former co-workers or irate customers tracking them down and threatening their physical safety and well-being,” the researchers wrote.

Decathlon is downplaying the severity of the breach, claiming that only a small percentage of the records contained in the database relates to genuine users. This suggests that – at least according to Decathlon – the majority of the records were pseudonymised or are test data.

Avoid basic errors with staff awareness training

Decathlon is by no means the first organisation to expose a database containing sensitive data.

The only way to tackle this threat is to educate staff on the importance of data protection and their obligation to secure sensitive information.

This is a complex task for any organisation, but you can keep things simple with our Complete Staff Awareness E-learning Suite.

This package contains a comprehensive overview of your cyber security needs, covering everything from your legal requirements to specific issues that employees face, such as phishing emails and social media scams.

Learn more