Is it a bird? Is it a plane? No, it's a terrible leak of drone buyers' data

Tens of thousands of online shoppers' payment details left totally unencrypted


Exclusive A popular drone dealership website left its entire transaction database exposed online with no encryption at all, revealing a host of purchases by thousands of police, military, government and private customers.

The DronesForLess.co.uk site was left wide open by its operators, who failed to protect critical parts of its web infrastructure from curious people, as spotted by Alan at secret-bases.co.uk, who told The Register.

We discovered more than 10,000 online purchase receipts had been saved to its web servers without any encryption or even password protection whatsoever – and the sensitive customer details in those receipts were exceptionally easy to access. Even your grandparents could have found it using Internet Explorer.

Details available for world+dog to browse through included names, addresses, phone numbers, email addresses, IP addresses, devices used to connect to the site, details of ordered items, the card issuer (e.g. Visa) and the last 4 digits of credit cards used to pay for goods.

Orders placed by police and military personnel included:

  • A purchase of a DJI Phantom 3 quadcopter by a serving Metropolitan Police officer, delivered to the force's Empress State Building HQ in London, and made with a non-police email address composed of his unit's very distinctive abbreviation
  • A British Army Reserve major who had an £1,100 drone posted to his unit's HQ
  • A member of the Ministry of Defence's procurement division who bought a DJI Inspire 2, complete with spare battery and accidental damage insurance
  • A member of the National Crime Agency, who appeared to have used his ***@nca.x.gsi.gov.uk secure email address to buy a Nikon Coolpix digital camera

It was unclear whether these purchases were for personal or governmental use.

Other orders seen by The Reg include ones placed by: staff from privatised defence research firm Qinetiq; the UK's Defence Science and Technology Laboratory's radar R&D base at Portsdown Hill; the Brit Army's Infantry Trials and Development Unit; UK police forces up and down the country; local councils; governmental agencies; and thousands more orders placed by private individuals.

Many were for cameras and other optical gear as well as drones, reflecting the network of branded e-commerce sites that Drones For Less forms a part of.

Infosec researcher Scott Helme told us: "From a technical perspective having this kind of information in a publicly accessible directory is incredibly negligent. This information should be stored in a database and most certainly should not be available to the internet and stored in plain text!

"At a minimum the company involved need to contact all of the affected customers and inform them what data has been leaked so that they can take whatever steps they deem necessary, even if that’s just so they can be vigilant for potential phishing emails. I hope that the ICO will also take action against the company for such a negligent leak of personal information."

About that UK web address...

Drones For Less gives a London Mailboxes ETC shop (effectively a PO box number) as its postal address, and an 0203 SIP number – which can be configured to forward calls anywhere in the world – as a contact telephone number.

We first called it to report the breach to the site's operators on 2 April. After being invited to hold by a cheery North American-accented auto-answer message, we got through to a customer support rep who introduced himself as John. He also had a distinctly North American accent. John asked us to email him details of the breach. We did this and asked repeatedly for a statement from the firm, to no avail.

Repeated followup phonecalls resulted in John sending us the email addresses of others within Drones For Less, inviting us to ask them for a comment, which we have done.

The dronesforless.co.uk domain name is registered to a company calling itself Mapleleafphoto LLC. The address – 2 Toronto Street, Toronto, Canada, as a Nominet Whois lookup shows – is a UPS shop, so is effectively another anonymous PO Box forwarding address.

A superficially similar website called Mapleleafphoto.ca gives a Quebec contact address which appears to lead to an industrial unit in that city.

The Drones For Less operator appeared, earlier this week, to be playing whack-a-mole with individual links to samples of the breached data we sent to him, taking those down but not others. Following sustained pressure, it now appears, to the best of El Reg's ability to confirm, that the data has been removed from public view.

Drones For Less appears to be closely related to Cameras For Less, Video For Less and Tablets For Less, judging by house adverts on its Contact Us page.

A spokeswoman for the British government sent us a statement:

We treat the security of our information very seriously. We have asked the company involved to remove any public record of this data and to let all those affected know.

The UK Information Commissioner's Office and Canada's Office of the Privacy Commissioner are both aware of the breach. ®

Narrower topics


Other stories you might like

  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • Tech pros warn EU 'data adequacy' at risk if Brexit Britain goes its own way
    Show us that benefits outweigh the cost, BCS challenges government

    BCS, The Chartered Institute for IT, has warned that proposed changes to Britain's data protection rules must not put the flow of data between the EU and the UK at risk.

    The professional body said the supposed benefits of a leaner data protection regime – something the government promised last week – should not come at the expense of the UK's current "data adequacy" arrangement with the EU.

    The UK remained compliant with the EU's General Data Protection Regulation (GDPR) when it formally left the EU at the end of 2020. Its interpretation of EU law meant that the trading bloc gave the UK an "adequacy" ruling, permitting data sharing across the border.

    Continue reading
  • Zuckerberg sued for alleged role in Cambridge Analytica data-slurp scandal
    I can prove CEO was 'personally involved in Facebook’s failure to protect privacy', DC AG insists

    Cambridge Analytica is back to haunt Mark Zuckerberg: Washington DC's Attorney General filed a lawsuit today directly accusing the Meta CEO of personal involvement in the abuses that led to the data-slurping scandal. 

    DC AG Karl Racine filed [PDF] the civil suit on Monday morning, saying his office's investigations found ample evidence Zuck could be held responsible for that 2018 cluster-fsck. For those who've put it out of mind, UK-based Cambridge Analytica harvested tens of millions of people's info via a third-party Facebook app, revealing a – at best – somewhat slipshod handling of netizens' privacy by the US tech giant.

    That year, Racine sued Facebook, claiming the social network was well aware of the analytics firm's antics yet failed to do anything meaningful until the data harvesting was covered by mainstream media. Facebook repeatedly stymied document production attempts, Racine claimed, and the paperwork it eventually handed over painted a trail he said led directly to Zuck. 

    Continue reading

Biting the hand that feeds IT © 1998–2022