Decathlon suffers data leak; 120 million employee records are exposed

A new information security incident has affected a sporting goods firm. French company Decathlon has revealed that a data breach has exposed around 123 million records stored in an unsecured Elasticsearch database. The database could contain firm’s information in France, Spain and the United Kingdom.

The compromised information included access data to the company’s online platform, such as usernames, unencrypted passwords, API logs, and personally identifiable information of the firm’s employees, including:

  • Full names
  • Email addresses
  • Birth dates
  • Academic training 

The finding was reported last February 12, and the company received the report on February 16. Hours later, the firm acknowledged the report and closed improper access to the database.

Active in almost 50 countries, Decathlon is one of the sports firms with the largest presence in Europe, Asia, South America and part of Africa, so its work floor is considerable. That’s why the incident has caught the eye, as a potential data breach would affect hundreds of people around the world.

Information security specialists believe that companies should provide their employees with all means necessary to adequately protect their work and personal information. The finding is serious, since the database was available to any user who knew where to look, and did not have any encryption.

Although access to the database has already been disabled, problems for Decathlon might be about to begin. Because it operates in European territory, the firm could be investigated under the terms of the European Union’s General Data Protection Regulation (GDPR), which establishes high fines and a rigorous incident reporting protocol for companies suffering from data breaches and other information security issues.