Whole Foods Market and Skaggs Public Safety Uniforms were among the companies whose customer records were accessible through a non-password-protected database with more than 82 million records in early July, according to a VentureBeat report on Friday (Oct. 15).
The logging records — which were discovered by security researcher Jeremiah Fowler and the CoolTechZone research team — included “numerous customer order records, names, physical addresses, emails, partial credit card numbers and more,” the report said, noting the records were marked as “Production.”
The original number of records compromised when the vulnerability was first discovered between April 25 and July 11 was just over 28 million. After the notice was sent — between April 25 and July 30 — the number of records rose to nearly 82.1 million, according to VentureBeat.
The Whole Foods records in the vulnerable database identified internal user IDs of their procurement system, IP addresses, and what appear to be authorization logs or successful login records from an activity monitoring system. Other logs referred to school furniture manufacturer Smith System and oil trucking company Chalk Mountain Services.
Most of the payment and credit card records in the database appeared to be connected to Skaggs Public Safety Uniforms, which has offices in Colorado, Utah and Arizona. CoolTechZone searched “police” and “fire” among other queries and could see multiple agencies’ orders, notes and customization requests.
It’s unclear how long the database was in its vulnerable state and whether anyone else accessed the 82 million records. It’s also unknown whether anyone notified clients, customers or authorities about their potential exposure.
Cybersecurity issues are nothing new, of course, and even the largest companies can become victims.
Last month, Apple released an emergency software patch after researchers at the University of Toronto’s Citizen Lab uncovered a security flaw that could allow hackers to secretly install spyware on Apple devices through iMessage without users’ knowledge.
Apple’s announcement of its emergency patch came after an NSO spyware infection was found on a Saudi activist’s iPhone by the cybersecurity watchdog organization.