UK digital shopping website leaks tens of thousands of online shoppers’ payment details

According to The Register, DronesForLess.co.uk, the UK’s popular digital goods online shopping site, inadvertently disclosed thousands of purchase records and personal information of the police, military, government, and individual consumers. The root cause of the incident was that the site’s transaction database was accidentally exposed online and was not protected by encryption.

According to The Register, the incident was discovered by Alan Turnbull, a technical consultant from the UK-based Secret-bases. He informed his Gareth Corfield, The Report’s reporter, of his discovery as an exclusive message.

Alan told reporters that the operator of the DronesForLess.co.uk website did not properly protect the key parts of their network infrastructure. This made the site “completely open” for curious people, using Google only. Statement search makes it easy to find this data.

After learning of this news, The Register confirmed the authenticity of the incident. They found that about 13,000 dates indicated that purchase records for the period from October 2015 to March 31, 2018, were stored on DronesForLess.co.uk’s website server, and these data were not encrypted or even a password was set. protection.

The severity of the incident is self-evident. This situation means that anyone who can find this website server on the Internet can arbitrarily browse the above data.

According to the report’s description, these purchase records also contain the consumer’s detailed personal information, such as name, address, phone number, email address, IP address, device information used to access the website, details of the purchased product, issuing bank And the last four digits of the payment card number.

From the purchase records, there is no shortage of workers from the police, the military, and the government, such as:

• A purchase of a DJI Phantom 3 quadcopter by a serving Metropolitan Police officer, delivered to the force’s Empress State Building HQ in London, and made with a non-police email address composed of his unit’s very distinctive abbreviation
• A British Army Reserve major who had an £1,100 drone posted to his unit’s HQ
• A member of the Ministry of Defence’s procurement division who bought a DJI Inspire 2, complete with spare battery and accidental damage insurance
• A member of the National Crime Agency, who appeared to have used his ***@nca.x.gsi.gov.uk secure email address to buy a Nikon Coolpix digital camera

The Register said that this is only a very small part of the purchase record. Other consumers include the staff of the UK’s private defense research institute QinetiQ, the British National Defense Science and Technology Laboratory’s Radar R&D base in Perth Taushan, British Army infantry trials and development. Troops, as well as large and small police stations, local councils, and government agencies across the country. Of course, there are still more private orders.

It is worth noting that from the types of goods purchased by the police, the military, and government workers, most of them are cameras and other optical devices and drones. It is unclear whether these products are from personal or official purchases.

The Register had reported this data breach to DronesForLess.co.uk on Tuesday. The website did not give any explanation for this matter, but only deleted all the leaked data. Now the data has been Unable to be visited by the public.