B&Q leaked personal details of thousands of suspected shoplifters

2558

// 70,000 offender and incident logs were leaked online according to a security expert

// B&Q has now removed the data and launched in investigation into the leak

// The leak exposed the first and last names of suspected offenders as well as descriptions


For all the latest retail technology news, make sure to visit Retail Gazette’s new publication chaRGed.com launching in the coming weeks.

B&Q has launched an internal investigation after swathes of data exposing the names and vehicle descriptions of suspected shop lifters was leaked online.

The DIY retailer exposed 70,000 offender and incident logs online on an Elasticsearch server, an open source search engine which can be accessed by anyone, according to a security researcher.

Ctrlbox Information Security’s chief executive Lee Johnstone was the first to inform B&Q of the leak, and reportedly sent the retailer numerous messages before the logs were eventually taken down 11 days later.

According to Johnstone’s blog, the details included the first and last names of individuals suspected of stealing goods alongside their descriptions, details of their vehicles and other information relating to the incidents.

Other details including the value of the goods involved and the associated loss were also part of the leak.

A B&Q spokeswoman told the BBC that it has “closed the issue down and are continuing to investigate how it occurred”.

Organisations are required to inform the Information Commissioners Office (ICO) when there has been a breach of personal data within 72 hours of becoming aware of it.

If they choose not to they may be required to justify their decision and keep a record of the incident.

B&Q said that its “continuing investigation will help us decide whether an ICO notification is required”.

Click here to sign up to Retail Gazette‘s free daily email newsletter