Malaysian POS provider StoreHub almost exposed one million customers in data leak
Another day, another data leak report in Malaysia. Data leaks and breaches are becoming so rampant in Malaysia that there is news about them almost every week in the local media. Now, almost a million customers have had their data leaked in what may be an industry-impacting incident.
According to a report by SafetyDetectives, their research team discovered a critical data leak affecting Malaysian point of sale (POS) and management software provider, StoreHub. The report stated that the exposed data was stored on StoreHub’s Elasticsearch server located in Singapore that was left open without any password protection or encryption.
As such, the unprotected server has potentially compromised the information of thousands of restaurants and retail stores in the country with information of their staff as well as roughly one million customers leaked.
The leak was discovered on January 12, 2022, with the server content seemingly exposed since at least late November 2021. SafetyDetectives alerted StoreHub as soon as the link was discovered but received no response. They then contact Malaysian CERT and AWS which is the hosting company. Both responded promptly and the server has since been secured.
“We were able to disclose the leak to the Malaysian CERT on January 28. The Malaysian CERT asked us for more information on February 2, but the server was secured by then. We estimate the server was secured between that period from January 28, 2022, to February 2, 2022,” stated SafetyDetectives.
Meanwhile, according to a statement from StoreHub the vulnerability was fixed soon after they were made aware of it. The company also denied that there was a data leak despite a server despite a misconfiguration in one of its servers that left data exposed.
Upon being informed by AWS on February 3rd, StoreHub stated that the vulnerability was patched and resolved on the same day.
“The decisive action helped ensure that no sensitive or private data were maliciously downloaded by any parties and the finding was confirmed through a thorough internal investigation of the incident. The investigation also revealed that no sensitive financial data or passwords were contained in the vulnerability. As an extra precautionary measure, StoreHub ensured that no tokens within the dataset could be used to login into a merchant’s account.” the company said.
Established in 2013, StoreHub has grown to be a major POS system in Malaysia and even Southeast Asia, with over 15,000 businesses using their services. Primarily used by F&B and retail stores, the POS software is used to process and record purchases and transactions in customer-facing businesses, as well as issuing receipts and track sales of particular items.
Offering a full suite of business management tools and analytics, StoreHub has been collecting data from one a million customers across the region. This makes the data leak even more concerning as both customer and business data have been compromised.
SafetyDetectives researchers pointed out that the misconfigured server contained over 1.7 billion records, with over 1 TB of data of approximately one million customers. For StoreHub customers, exposed personal identifiable information includes full names, phone numbers, physical addresses, email addresses, type of device used as well as customer payment and order information including transaction dates, ordered items, and store locations.
Businesses using StoreHub also had their staff information leaked. This included employee check-in and check-out times, employee names, store names as well email and physical addresses. The cybersecurity team of SafetyDetectives also saw leaked access tokens, which bad actors could use to log in to and modify the businesses’ websites, potentially causing more harm.
While SafetyDetectives cannot confirm if the data leak was discovered by unethical hackers, they feel affected businesses and customers should be on alert for potential threats such as scams, fraud, and account theft, given the information that was exposed.
As for StoreHub, the POS provider said it has taken steps to prevent such incidents in the future, including working with an independent cybersecurity agency.
“StoreHub understands the severity of the matter and the potential panic caused by this occurrence to our users. We would like to reassure our users that we take the security of their data very seriously and as such, we will continually work to enhance our data security whilst addressing any and all possible concerns related to it. The team will continue to work diligently and closely with its internal teams and external experts to ensure the full and thorough protection of StoreHub’s user data while also providing a comprehensive and integrated technology driven services,” it added.