UPDATE [4:30 PM]: StoreHub has sent us a statement that says that its own internal investigations show that the vulnerability did not involve sensitive financial data or passwords. The company also “ensured that no tokens within the dataset could be used to login into a merchant’s account”.
ORIGINAL STORY [1:14 PM]:
You may not have heard of the name StoreHub, but you may have made use of its software at some point in time. The company provides point of sale (POS) software to over 1500 businesses, including retail shops and restaurants. But a report by cybersecurity publishing group SafetyDetectives claims that it may have left the personal data of about a million people exposed.
According to the report, the vulnerability was discovered all the way back in January. This left over 1TB of data, including 1.7 billion records and the aforementioned personal information of a million people, at risk. More specifically, the data can be divided into two categories: data of businesses using StoreHub, and data of said business’ customers. Personally identifiable information among the data include people’s full names, phone numbers, physical and email addresses, as well as type of device used.
SafetyDetectives goes on to say that, upon discovering the leak, its cybersecurity team contacted StoreHub, but received no response. They then contacted the Malaysia Computer Emergency Research Team (MyCERT) and Amazon Web Services instead. The vulnerability was fixed sometime between 28 January and February 2, according to the report.
In a statement to The Star, StoreHub said that “the vulnerability was patched and resolved” on the same day the company was informed by AWS. Though this notification reportedly came on 3 February via email, which doesn’t quite match up with mentioned timeline provided by SafetyDetectives.
At any rate, this is one more incident of people’s personal data being either exposed or leaked outright. Just within the last month, there have been two other instances. One was the exposure of employee data under PIKAS. The other was the data set containing personal information of about 22.5 million Malaysians. The Ministry of Home Affairs has since denied that the latter came from the national registration department (JPN).