Hobby Lobby Exposes 138GB of Customer Data, Affects 300K Users

Popular American arts and crafts giant Hobby Lobby reportedly suffered from a massive data breach that exposed 138 gigabytes worth of customer information, according to a report released by an independent security researcher called Boogeyman.

Based on the findings of the said researcher, the arts and crafts retailer experienced a cloud-bucket misconfiguration. According to Threat Post, cloud configurations have become a common phenomenon that has plagued various organizations.

In a statement to Threat Post, Valtix chief executive officer Douglas Murray said, “The Hobby Lobby incident is the latest example of why we need to take public cloud threat vectors so seriously.”

Hobby Lobby Exposes Customer Data

“In 2020, spend in public cloud exceeded spend in on-prem data centers for the first time. The hackers are doing their own version of ‘lift and shift’ and are aggressively moving to where the market is going,” continued Muray in his statement.

Senior manager of Lookout, a security solutions company, Hank Schless said to Threat Post that cloud bucket misconfigurations are common primarily because the “simplicity they offer and the speed at which organizations scale these services up and down oftentimes means the configuration of these buckets is overlooked and the data inside is left exposed.”

Organizations that have migrated and grown their systems using the Amazon S3 AWS make it easy for firms to set up their systems. However, as mentioned by Schless, the simplicity of the structure is also harmful to the companies, leading to numerous cybersecurity threats happening.

Compromised Information

The cloud bucket misconfiguration led to the exposure of 138 gigabytes worth of days. Among the information compromised in the data breach include the names of customers, their phone numbers, and their home addresses. The source code for the company was also included in the compromised information.

Apart from the aforementioned details, the email addresses of Hobby Lobby customers have also been found on the server. In addition, Vice reports that financial information such as the last four digits of the customers’ payment card details has also been made vulnerable.

Besides customer information, employee names and email addresses were also included in the breach, reports Vice.

In total, Boogeyman said that more than 300,000 customers have been affected by the incident. The security researcher took to Motherboard, an online chat forum, to expose the data leak.

Vice notes that the researcher also provided numerous screenshots as proof of the data breach, showing that Hobby Lobby had its server hosted on an open AWS bucket.

Following the data breach, Hobby Lobby told Motherboard that they have “identified the access control involved and have taken steps to secure the system.” There are no details on whether the company is going to inform affected parties.