B&Q leak security information of around 70,000 suspected shoplifters

B&Q has reportedly leaked information on around 70,000 shoplifters on Elasticsearch.

The leaked data included the first and last names of the thieves, along with the items they attempted to steal, the total cost of the losses, and location data for the stores.

According to a report done by an Australian security researcher, Lee Johnstone, the instance was operated by TradePoint, which focuses on trade only sales.

Johnstone said that TradePoint was running an internal programme to track incidents of theft across stores, along with information about its offenders.

The retailer kept all of the information stored on an Elasticsearch database connected to the public internet, without any form of authentication.

There was no identifying information about the retailer involved, but the researchers used the store geodata to discover that it was B&Q.

Johnstone reportedly first made contact with TradePoint to make them aware of the leak on January 12^th, but despite assurances that they were looking into the matter, the Elasticsearch instance only became inaccessible on 23^rd January 2019.