Who: B&Q Stores

No. of Accounts Breached: 70,000

What was affected: The breached database contained a list of people who had been caught stealing products from B&Q stores. The document included the names of the offenders, the items they had stolen, the value of the goods and the stores they were taken from.
When it happened: January 2019

How it happened: The database should have only been accessible to individual employees, but security specialists at CtrlBox found the database an ElasticSearch server, left publicly available and without password protection.

Outcome: After many failed attempts to get this closed CTRLBOX took to Linkedin and messaged Christian Mazauric, who is the current General Director/CEO for B&Q. Attempts to email Christian and also various other higher level staff who had emails listed in different public directory’s failed with all emails bouncing back. Christian has viewed the message on Linkedin however no response has been received. On the 23rd of Jan, the server finally went offline with the data no longer accessible. It’s unknown if they have taken the server offline due to the notification sent out or if just by chance its been taken offline, either way, it’s offline and its better that way.

Other reference: https://www.ctrlbox.com/2019/01/24/when-security-fails-70-000-offender-and-incident-logs-exposed/