Share this article on:
Powered by MOMENTUMMEDIA
Breaking news and updates daily.
Major Australian hardware and DIY supply store Sydney Tools has exposed the data of its employees and customers after it left a database publicly accessible.
The research team at US publication CyberNews discovered an exposed Clickhouse database that contained over 5,000 former and current employee records, as well as details for over 34 million online orders.
The employee records contain full names, salaries, sales targets and branches of employment, according to the media outlet, while customer purchase records included names, email addresses, home addresses, phone numbers and items ordered.
While the researchers at CyberNews refer to the incident as a data leak, the publication did not confirm whether any data has been accessed or leaked by threat actors.
The publication did, however, highlight that the exposed database is still publicly accessible despite attempts to contact Sydney Tools about the incident. Cyber Daily has also reached out to Sydney Tools regarding the incident but has yet to receive a response.
The data exposed in the database could prove to be a treasure trove to hackers for common cyber crimes like phishing scams, identity theft and more, but could also be used for tool theft, according to the CyberNews research team.
“[The exposed data could] aid cyber criminals in the surprisingly common crime of tool theft, as well as more standard cyber crimes such as identity theft, phishing, or spam campaigns,” said the research team.
The team added that the data within the exposed database “is sensitive as it included extensive personally identifiable information in large volumes, as well as sensitive information regarding which customers purchased expensive items, and the salaries of their employees”.
In a similar incident last year, a database belonging to US home improvement and hardware retailer Home Depot was exposed in a third-party cyber incident.
In April last year, a database containing the data of over 10,000 of Home Depot’s 475,000 staff was posted to the notorious BreachForums hacking forum by infamous leaker IntelBroker.
“Today, I have uploaded the Homedepot.com database for you to download, thanks for reading and enjoy!” said IntelBroker on BreachForums.
According to the listing, the data included employees’ full names and email addresses and can be downloaded for only four BreachForum credits, an earnable currency that users can get through posting to the site, encouraging them to contribute.
Speaking with BleepingComputer, Home Depot confirmed that it was aware of the attack and that the data was exposed on accident by one of its third-party software-as-a-service (SaaS) vendors after it fell for a phishing attack.
“A third-party software-as-a-service (SaaS) vendor inadvertently made public a small sample of Home Depot associates’ names, work email addresses and user IDs during testing of their systems,” said a spokesperson.
While no financial or banking information was leaked, threat actors who accessed the data could use it to launch new attacks or commit fraud to then gain access to affected individuals’ finances or further breach the company’s network.
Be the first to hear the latest developments in the cyber industry.