Security Researcher Jeremiah Fowler together with the WebsitePlanet research team recently discovered a non-password protected database that contained the names and personal information of hundreds of thousands Argentines. Nearly a million records were publicly exposed to anyone with an internet connection. A folder named “Cliente” (which stands for “Client” or “Customer” in Spanish) contained 605k records and another one named “cuenta credito” (which stands for “credit account” in Spanish) had 280k records. This is one of the largest data leaks of customer information such as names and ID numbers in plain unencrypted text that we have seen in a very long time. Upon further research it appeared that the records belonged to Hendel Hogar (hendel.com), a large chain of stores that sells household products, located across the province of Buenos Aires, Argentina. According to their website, the company has 31 branches and sells appliances, computers, household items, tools, toys, swimming pools, camping, covers, and much more. We immediately sent a responsible disclosure notice to the company and public access was closed the same day. It is unclear how long the database was exposed or who else may have accessed it. According to their Facebook page“For more than 50 years our customers have trusted us to access the products they need, and we make it easier by granting their own Personal Credit through the Hendel Card”.What the database contained:
Total Records Exposed: 918,395 (that appeared to be unique)
Hendel’s internal records included customer names, National ID numbers (DNI), and financial data.
605,725 records marked “Cliente” that contained what appeared to be customers’ personal data such and full names and National ID Numbers.
283,000+ records marked as credit accounts.
If ill-intentioned hackers had found the server, exposed customers could be targeted for social engineering scams or identity theft.
The files also show where data is stored and how the logging network operates from the back end.
The database was at risk of a ransomware attack or being stolen by cyber criminals.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.