123 million Records Breached in Cyberattack on Sports Retailer Decathlon

Sports retailer Decathlon, which has outlets in 49 countries globally, has reported a data breach that impacted 123 million records which incorporated unencrypted passwords.

The breach was first noticed by VPNmentor on 12 February, and they alerted Decathlon four days later.

Noam Rotem and Ran Locar at VPNmentor said in relation to the breach: “Sometimes the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data,” wrote Rotem and Locar in a blog posting revealing the find, and explaining why it can take days between discovery and notification. Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness. Some affected parties deny the facts, disregarding our research or playing down its impact. So, we need to be thorough and make sure everything we find is correct and true.”

According to security expert the breached records included “a veritable treasure trove of employee data and more. It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information”.

Along with unencrypted passwords, the data incorporated usernames, full addresses, social security numbers, dates of birth, email address, qualifications – pretty much everything that is needed for identity theft. They said: “Decathlon could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to, secure your servers, implement proper access rules, never leave a system that doesn’t require authentication open to the internet.”

As the breach falls under the remit of the European Union’s General Data Protection Regulation (GDPR) the fine sanctioned could be as high as 4% of annual global revenue for 2018, which equates to $512 million.