Walmart Partner MBM Company Exposes Data on 1.3 Million Customers

Summary

Security firm Kromtech revealed that Walmart partner MBM Company Inc., which operates Limogés Jewelry, left the personal information of 1.3 million customers exposed via an unsecured Amazon S3 bucket. The open S3 bucket, named “walmartsql,” contained customers’ names, addresses, ZIP codes, phone numbers, email addresses, IP addresses, plaintext passwords, encrypted credit card numbers, and payment details for purchases made between 2000 and early 2018. The database was left publicly available from January 13, 2018 until it was recently secured by Walmart. This latest incident follows many recent breaches resulting from unsecured or misconfigured S3 buckets. 

Recommendations

The NJCCIC highly encourages MBM Company Inc. customers immediately change their account passwords, enable two-factor authentication, and monitor their bank and credit card accounts for fraudulent activity. Additionally, we recommend administrators of Amazon S3 storage buckets review our previous NJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the mitigation strategies provided as soon as possible.