More than 1.3 million shoppers in the U.S. and Canada had personal data publicly exposed by MBM Company Inc., a jewelry partner of Walmart that primarily operates under the name Limogés Jewelry, according to International Business Times. Kromtech, a cybersecurity firm, found the information stored in a publicly accessible Amazon Simple Storage Service (S3) bucket that Walmart owns.
Limogés has worked with other retailers, including Amazon, Overstock, Sears, Kmart, Target and other companies, which have information stored in the bucket as well. Kromtech researchers found data such as encrypted credit card details, plaintext passwords, mailing lists, payment details, promo codes and item orders on the storage service. The records were dated to early 2018 from as far back as 2000.
Walmart secured the database after Kromtech alerted the retailer to the issue. The cybersecurity firm has come across ransom notes in other unsecured databases, a sign that they were accessed by hackers, but in this case researchers found nothing. However, Bob Diachenko, Chief Communication Officer at Kromtech, noted that doesn’t mean the information wasn’t accessed.
“A small third party that most people have never heard of had its weak security controls exploited, allowing hackers to access customer data from a major retailer whose name gets dragged into headlines, affecting the retailer’s reputation and bottom line,” said Fred Kneip, CEO at CyberGRX in a statement. “That sentence describes the infamous 2013 Target breach where attackers compromised a small HVAC vendor, but could just as easily be applied to the recent Walmart breach caused by a jewelry partner. Hackers are increasingly targeting vendors, partners and other third parties to access sensitive data, and retailers need to understand that they are going to be held responsible for the security shortcomings of any third party in their digital ecosystem.”