Retail Chain Leaks 800k Records Including Customer and Credit Data

Retail-Chain-Leaks-800-Records-Including-Customer-and-Credit-Data-EN-2.png

Security Researcher Jeremiah Fowler together with the WebsitePlanet research team recently discovered a non-password protected database that contained the names and personal information of hundreds of thousands Argentines. Nearly a million records were publicly exposed to anyone with an internet connection. A folder named “Cliente” (which stands for “Client” or “Customer” in Spanish) contained 605k records and another one named “cuenta credito” (which stands for “credit account” in Spanish) had 280k records. This is one of the largest data leaks of customer information such as names and ID numbers in plain unencrypted text that we have seen in a very long time.

Upon further research it appeared that the records belonged to Hendel Hogar (hendel.com), a large chain of stores that sells household products, located across the province of Buenos Aires, Argentina. According to their website, the company has 31 branches and sells appliances, computers, household items, tools, toys, swimming pools, camping, covers, and much more. We immediately sent a responsible disclosure notice to the company and public access was closed the same day. It is unclear how long the database was exposed or who else may have accessed it.

According to their Facebook page“For more than 50 years our customers have trusted us to access the products they need, and we make it easier by granting their own Personal Credit through the Hendel Card”.

What the database contained:

Total Records Exposed: 918,395 (that appeared to be unique)
Hendel’s internal records included customer names, National ID numbers (DNI), and financial data.
605,725 records marked “Cliente” that contained what appeared to be customers’ personal data such and full names and National ID Numbers.
283,000+ records marked as credit accounts.
If ill-intentioned hackers had found the server, exposed customers could be targeted for social engineering scams or identity theft.
The files also show where data is stored and how the logging network operates from the back end.
The database was at risk of a ransomware attack or being stolen by cyber criminals.

hendel1 — Overview of storage folders that contained customer and credit data.

According to Wikipedia: the DNI or “Documento Nacional de Identidad” (which means National Identity Document) is the main identity document for Argentine citizens, as well as temporary or permanent resident aliens (DNI Extranjero). The DNI is required for voting, payments, military service inscriptions and other formalities. The DNI can also be cross referenced for traffic and other civil violations using a government website. In this context, the DNI would have likely been used to identify individual customers and the credit that would be extended to them by Hendel. The records we saw contained only the number and not full scans or images of the document or individual.

Account Credit ID appeared to be an internal tracking number for credit customers. This would be a more secure way to track users on payments and receipts by using the internal number and not the DNI. The more sensitive personally identifiable information would be in the customer’s account. These numbers were in chronological order of 000001 – 283,000 and marked as enabled or active accounts. There were other numbers in the accounts that I am unsure of, so we can not confirm or deny if the credit card numbers were exposed. As an American security researcher based in Europe, I do not know much about the Argentinian tax or credit system, but I do believe that all people deserve data security when it comes to their personal information.

Hendel offers their own credit card or payment option. One folder had 283k records that appeared to contain customer credit information that was stored in the exposed database.

The Risks of Exposing Customer Credit Data

The most common form of fraud facing any consumers who had their personal information stolen would be criminals taking out loans on their behalf, applying for fake documents to commit a wide range of identity theft. Once the criminal has falsified documents they can get credit, loans, and accumulate debt in the victim’s name. Argentina is not immune to cyber crime and the country has suffered several large scale incidents in the past few years. In 2020 Argentina’s major telephone company, Telecom, was hacked and their data was encrypted with ransomware. Hackers requested a ransom of $7.5 million. Several months later Argentina’s immigration agency, “Dirección Nacional de Migraciones” was the victim of a ransomware attack that temporarily shut down the country’s borders.

This exposed data such as their name and DNI could be used by criminals online or offline to commit fraud against these customers. The individuals could be identified using open source record searches that show where they work and other information that could be used when committing identity theft to provide a full profile of the victim. We are not implying any of these individuals were at risk and Hendel acted fast and professionally to secure the data once we reported our findings. It is unclear who else may have accessed this information or how long it may have been exposed.

Open source search tools can identify individuals by numbers exposed in the database. The “Unique Labor Identification Code,” known as CUIT, and the “Single Tax Identification,” referred to as CUIL, represent crucial identifiers. This information can reveal additional customer details, potentially increasing their exposure to risks.

It is unclear if Hendel has notified authorities or customers about the data incident as required by Argentina’s Personal Data Protection Law. According to Hendel’s privacy policy in its capacity as Responsible for the Databases of Clients, Human Resources and Suppliers and Providers,  HENDEL has registered the Databases in question with the National Directorate for the Protection of Personal Data, and to date renewals as required by applicable regulations. In agreement with the Argentine National Constitution, the Personal Data Protection Act 25.326 (PDPA) (Ley de Protección de los Datos Personales) was executed in 2000 to help protect the privacy of personal data, and to give individuals access to any information stored in public and private databases and registries.

We are not implying that Hendel’s customers or credit applicants were ever at risk and we only highlight the facts of our discovery to raise awareness for data protection. We advise any company who experiences a data breach to conduct a forensic audit and notify customers or affected individuals to watch for any changes to their credit accounts. We believe that individuals deserve data privacy and security no matter what country they live in or what language they speak. At the time of publication we have not received a reply to our responsible disclosure notice.