This is like a Top Gear or Grand Tour, it is extra long and contains a lot of cool stuff!

WARNING: This article contains some mild adult words later on - no images of course.

Part one
This is actually part two; part one is https://www.datasecurityexpert.co.uk/articles/273-supply-chain-security-this-will-make-you-think-twice-about-shopping-online,-especially-at-adult-stores.html. Why am I exposing more this time? Simple; things have not improved at all and have maybe got worse. You will know from my writing, I am technically biased and firmly believe the United Kingdom is very vulnerable and is not improving fast enough security-wise. I have probably ten plus seriously shocking stories, however this one is not about a client nor employee, hence the part-exposure.

Let’s start off in 2015 with something rather trivial. I ordered two small books; one on ISO 27001 and one on PCI-DSS. They were purchased from a well-known, though not big, IT services firm which sells consulting services, books and training courses. The books arrived, I read them and forgot about everything. Not long after, I started working at Capgemini, which has no relation to this story.

The next year, I was putting on a one-hour talk on social engineering, and was Binging, Yahooing and Googling myself to find the summary of the talk I had done at Enterprise Security 2012 in Knightsbridge. I failed to find the summary online, but I did alarmingly find my name, address, email address and the names of both books in a CSV on a random UK based website.

It only took me 30 seconds to figure it out. Company x, who I bought the two books from, outsourced (and still do) the storage of their stock and dispatch to logistics/warehousing company x. Next, I simply removed the CSV file name from the URL in the browser and went into a folder within the subdomain (clients.xxxxxxxx.com). There were 20+ CSVs and 5+ sub folders in the sub domain. No HTTPs, no anti-directory browsing and no authentication.

I then opened up a few other CSVs and saw similar order lists for non-interesting items, including PII. Then it got more interesting. I opened up a CSV and started laughing, and I had to control myself. Why? I was in a meeting in London with two other non-security colleagues and 10 men and women watching/participating from Central India. The room was an AV room.

In one of the CSVs were names, addresses, email addresses, postcodes, reference numbers, order/dispatch dates, country names, order quantities, product names and tracking numbers. Now for the punch line: Sex dolls, dildos, condoms, Viagra, wigs, underwear, pink handcuffs, and a lot of other seriously odd/rude things. After five seconds, I worked out this was a Western European order/dispatch list for an adult online store. Seriously funny or not for the customers. The adult toy company was not the only company outsourcing to them; an IT book company, film company, electrical company, music company and more were/are too.

Poor supply chain security at its best! End customers throughout Western Europe had bought sex toys through an online store, who then outsourced these orders to logistics/warehousing company x. After chuckling quite a bit, I took a few screenshots and downloaded some of the files. Then I sent a five-line email to both directors (a man and woman) at logistics/warehousing company x. The man replied as below:

“Graeme

Thank you for your email and we are currently investigating with our Hosting company. We do take security seriously and thank you for your time in alerting us to this error.

Regards
xxxxxxxxxx”

Typical joke of a response - ‘We take security seriously’ - my **** you do! Blaming the web host is unfair. They provide a server, and it is the responsibility of the end company to secure it and secure the website installed on it. I replied back to them, and the data in clients.xxxxxxxx.com was gone. I then shredded any files I had downloaded and kept an anonymised screenshot of one of the CSVs. An article on this website was published, and that is the end of part one.

Part two
Four years had passed, and at 23.30 on 6th March 2019, I randomly remembered the story. I searched my inbox for the word ‘seriously’ and found the email, and more importantly the URL. I typed the URL into my phone, and it opened with 1600+ items in the sub domain, though most of them were of no interest. This time, there were order lists for more different clients, including the adult store again. I went to bed.

On 7th March, I did some digging, downloaded most of the files under HTTrack and took five screenshots. During a break, I called up the ICO, and they said, before filing a complaint with them, to go to the company in question. The ICO told me to take evidence, since it is likely the company in question and most others will sweep it under the carpet without reporting it to their clients, client’s clients (data subject) or the ICO.

I did some more digging into the LTD company, looked at their client list on their website, read testimonials and watched a video tour of their warehouse. Then I carried out some technical digging and found:
  • No enforced TLS (SSL) despite having a certificate installed
  • Out of date Wordpress
  • Second devolvement site forgotten about, which is very out of date
  • Out of date server
  • 8+ TCP ports open, which suggests no firewall
  • A third domain
  • Another sub domain
  • No anti directory browsing enabled

This is only what I can see remotely without needing permission; their internal setup is likely shoddy too.

After speaking to the ICO, I sent both directors a long email on the morning of Thursday 7th March. Later on in the day, I noticed they had emptied clients.xxxxxxxx.com and by the Friday, the sub domain had been removed. Too little too late! The rest of the problems still exist. Getting the web host or your IT guy/gal to fix the problem is not sufficient.

They likely do not have the same knowledge as me. The main thing here is, a web server is for public content (unless you really know what you are doing). Do not put PII on it, which should be stored internally on PCs. Let’s move on to what I found, heavily anonymised…

The end of the directory listing. Warehouse_ Stock.csv contains all items stored in their warehouse in 2015. File count: minimum of 1600.


The main order and stock CSVs, not all of them, and some are dated to 7th March 2019. File count: as above.


An out-of-stock item. The product needs no explanation! Row count: 1.


The adult store order list, heavily edited and anonymised. The list contained orders from 10+ countries, including Belgium, France and Switzerland. Row count: 900.


Stock list, again heavily edited. These items are “mild”! Row count: 1900.

If you are wondering about the screenshots and files I have… they are stored in encrypted archives (not WinZip or anything similar) or in an encrypted folder protected with a 128bit AES key, not a password. They are held only on hardware encrypted storage and protected by multiple layers of firewalls, antimalware, web filtering, encrypted DNS, hard drive encryption, application whitelisting, antimalware AI and more. This is being held as evidence, so logistics/warehousing company x cannot deny anything after they have emptied the folder in question and deleted the sub domain.

Why does all of the above matter?
When we order something, we expect our PII to be kept private and the supplier to secure the supply chain.

What could you do with what I have found?
For everything in general, mainly spam, phishing and scams - social engineering. For the adult store list, a lot worse, AKA blackmail. All you have to do is run each name through LinkedIn and wait till you find a CEO of a large firm or a politician.

I seriously value and protect privacy, as you can see from the images above, together with my data storage methods, but I could not resist putting three names through LinkedIn. I got “lucky” after two goes. By chance, person x in EU member state x is a film director who appears to be well known for producing non-English language films. That is all I did, no further research into him. End of matter. I will continue to store the data under lock and key for now and will share it with official parties upon request.

The moral of the story?
  1. Don’t store such data on a public web server
  2. Don’t rely on (and blame) your web host to provide security
  3. Secure your supply chain. Do not just send them a useless supplier assurance form which asks about asset & risk registers and more. Ask them genuine tech questions, as well as GRC, and go to their office to see their setup

Updates:
  • 18/3/2019 - no email from the company in question. Though the data was deleted, and the sub-domain removed, there is still a cache out there though no PII is present in the multi-file cache.
  • 19/3/2019 - I contacted one of the companies in question who use the logistics firm to advise them of the leak. Logistics firm x tried to sweep it under the carpet.
  • 26/3/2019 Mysteriously logistics firm x replied to me and continued to reply. Improvement were seen. I wonder if that was to do with me contacting their client?
  • 07/06/2019 - The encrypted archive I held has been purged from my PC, encrypted USBs and any other backup store.