BNR reported that the personal data of 60,000 customers of the Brandfield jewelry chain could be viewed online by anyone, according to research by BNR. The cause was a poorly secured cloud environment.
More than a hundred thousand orders placed with the jeweler from 2018 to 2020 were stored on a Google Cloud server that was publicly accessible. According to Brandfield, this involved a backup of customer data. The company will inform all victims on Tuesday.
“Data like Brandfield’s is truly a gold mine for criminals,” said Dave Maasland, director of cybersecurity company ESET-Nederland. For example, the data is used for phishing attacks that trick people into downloading malicious software. ‘If you receive an email about a gold chain that you ordered in 2020, you are inclined to click on it’
Half a million servers open and exposed
Brandfield is not the only company that leaves customer data lying around in this way. Using the Gray Hat Warfare scan tool, BNR was able to identify more than fifty Dutch cloud servers that were visible to everyone, of which Brandfield was one of the most extreme examples. The tool even unlocks more than a billion files worldwide that can be accessed openly via almost half a million servers from AWS, Azure and Google Cloud, among others.
“Cloud storage is actually better secured than traditional storage,” says Simon Besteman, director of the Dutch Cloud Community. ‘But you have to ensure that not just anyone has access.’
‘Gross negligence’ by Brandfield
According to Frederik Zuiderveen Borgesius, professor of ICT and law at Radboud University, Brandfield also broke the law by not locking his customer data. “If you store personal data, you must protect it properly,” he says. “That clearly didn’t happen here.” Cybersecurity specialist Joost Gijzel of DataExpert even speaks of ‘gross negligence’.
Brandfield closed the server on Friday and reported it to the Dutch Data Protection Authority (AP). “We are very shocked,” says Bas Beukers, Brandfield’s operational director. “We also conducted internal audits to see if there were any more such leaks, but fortunately there were not.” The company does not yet know how long the data has been out on the street and why it was not secured. “We are currently investigating this.”
Brandfield: ‘hopefully a lesson for others’
Beukers warns other companies to be careful with cloud storage. “We are not happy with it,” says the operational director. “But let this be a warning to others.” Maasland of ESET-Netherlands applauds Brandfield’s openness: ‘We must all ensure that more awareness is created, so that data leaks that could have been prevented are actually prevented in the future.’
.