On May 29th I discovered a database that contained what appeared to be a member list. Like most database names that do not clearly identify the ownership, this one was named Martha Johansson. I assume this is a reference to the Martha Johansson also known as No-Girl, is a fictional mutant character, an isolated brain, from the New X-Men comic book series. The database name did not give any idea of who was the owner of the data, but the single folder inside was named “englishwhisky”.
According to Wikipedia “St George’s Distillery is a distillery based in Roudham, Norfolk. It is owned by the English Whisky Company who are a producer of single malt whisky and other malt-based alcoholic spirits. It is notable for being the first dedicated English distillery for single malt whisky in 100 years at the time of the building’s completion in 2006“.
I immediately followed our responsible disclosure process and reported my discovery to English Whisky by email. There was no reply and I sent another disclosure notice on June 5th and followed up with 4 phone calls. Disclosing a data incident by phone can be challenging with many layers of “Gate Keepers” at most technology companies or large organizations. However, each time I called them the most lovely people answered in a festive tone with happy sounds of a celebration in the background. I would explain the nature of the call and the seriousness of the data exposure and was given an email address and told they would pass the message along. However, the data remained publicly accessible despite multiple attempts to notify them over several weeks.
What was in the database:
- This is a Elastic database set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
- 26.4k records with user names, emails, IP addresses and other details
- 23,392 Members’ information
- The database also contained information on Suppliers and Orders
- IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper in to the network.
The data base contained no payment or billing information and appeared to be offline at the time of publication. It is unclear how long it may have been accessible or who else may have had access to their member data. This is yet another wake up call for offline businesses who collect and store data to be more aware of data protection and have a process in place to take action in the event of a data incident.
**No one from from the English Whisky Company replied to our notifications or a request for comment at the time of publication for this article**