B&Q data leak exposes information on 70,000 thefts from its stores, including names of suspected offenders

Internal database was accessible to the world – no password required.

Graham Cluley
Graham Cluley
@[email protected]

B&Q data leak exposes information on 70,000 thefts from its stores, including names of suspected offenders

If you run a chain of superstores up and down the UK you have to recognise that from time-to-time ne’er-do-wells are likely to steal goods from your shelves.

And so it wouldn’t be a surprise if those stores maintain a database of the names of those people who they have caught stealing products, what was stolen, the value of the good stolen, and which stores they were stolen from.

After all, you might wish to ban people who have stolen from you in the past, or suspect might steal from you in the future, from your premises.

Sign up to our free newsletter.
Security news, advice, and tips.

Oh, and one thing is for sure – you certainly would want to make sure that such a database wasn’t itself easy to steal…

Unfortunately, according to security specialists at Ctrlbox, well-known UK household goods and hardware store B&Q has been careless with its database for tracking offenders and thefts – leaving it wide open for anyone on the internet to access.

A database of 70,000 offender and incident logs was only supposed to be accessible internally within B&Q, but was instead exposed for anyone to access.

The offending (ho ho..) data was on an ElasticSearch server – a technology used for powering search functions – and was not protected by a password.

The nature of the data (alleging possible criminal activity and including in some cases people’s names and vehicle details) meant, of course, that it could be considered highly sensitive and could have serious repercussions if it fell into the wrong hands through such sloppiness.

Database entry

That’s obviously bad. But what makes things worse is the hoops Ctrlbox had to jump through in order to get the data removed from the internet.

Having determined that the breach was related to B&Q by analysing GEOIP information, product codes, and types of goods listed in the exposed data, Ctrlbox’s Lee Johnstone sent a notification to the store’s support team. This was followed a day later by a message to B&Q over Twitter.

Four days after the first notification, Johnstone says that the data was still wide open:

“…clearly they had not got the message and it was becoming clear that B&Q was not going to act on this any time soon, so another message was sent to support who once again assured me that the message had been sent to the right people.”


Johnstone says that after a week he had communicated with three different support staff, but nothing had been done. He even tried messaging B&Q CEO Christian Mazauric on LinkedIn (according to Johnstone, Mazauric read the message, but never replied).

The offending ElasticSearch server only finally went offline two days ago – almost two weeks after B&Q was informed about the problem.

Companies need to act more quickly when informed of serious security breaches. And all staff, even if they don’t have the ability to assess the seriousness of a security issue themselves, need to understand the importance of escalating it to the right team in a prompt fashion.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “B&Q data leak exposes information on 70,000 thefts from its stores, including names of suspected offenders”

  1. mdpepa

    Do you think there is opportunity to improve how 3rd parties report incidents like these? So much of the confusion would be that they are unaware of the source, nor how to verify their authenticity.

    If the police/ncsc/ico used the same method as you would with a fraud, then there would be an improved level of trust and thus likely response. Also this would be great for their own reporting, as suddenly they hold the start date for any breach notification.

    1. Kieran · in reply to mdpepa

      It is kind of irrelevant what the source of the information is. If someone gets in touch to say that your company has potentially been involved in a data breach, then surely in the wake of the big GDPR push a company such as B&Q (you would like to think) would have a direct notification process internally to their DPO and conduct an immediate investigation into such claims.

      They may get stung here as it appears that the ICO were not informed by B&Q, inside or outside of the 72 hour window, and it took 2 weeks to take the server offline.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.