On May 29th I discovered a database that contained what appeared to be a member list. Like most database names that do not clearly identify the ownership, this one was named Martha Johansson. I assume this is a reference to the Martha Johansson also known as No-Girl, is a fictional mutant character, an isolated brain, from the New X-Men comic book series. The database name did not give any idea of who was the owner of the data, but the single folder inside was named “englishwhisky”.
According to Wikipedia “St George’s Distillery is a distillery based in Roudham, Norfolk. It is owned by the English Whisky Company who are a producer of single malt whisky and other malt-based alcoholic spirits. It is notable for being the first dedicated English distillery for single malt whisky in 100 years at the time of the building’s completion in 2006“.
I immediately followed our responsible disclosure process and reported my discovery to English Whisky by email. There was no reply and I sent another disclosure notice on June 5th and followed up with 4 phone calls. Disclosing a data incident by phone can be challenging with many layers of “Gate Keepers” at most technology companies or large organizations. However, each time I called them the most lovely people answered in a festive tone with happy sounds of a celebration in the background. I would explain the nature of the call and the seriousness of the data exposure and was given an email address and told they would pass the message along. However, the data remained publicly accessible despite multiple attempts to notify them over several weeks.
The data base contained no payment or billing information and appeared to be offline at the time of publication. It is unclear how long it may have been accessible or who else may have had access to their member data. This is yet another wake up call for offline businesses who collect and store data to be more aware of data protection and have a process in place to take action in the event of a data incident.
**No one from from the English Whisky Company replied to our notifications or a request for comment at the time of publication for this article**
Stay ahead of cyber threats with Security Discovery. We offer expert consulting, comprehensive services, and a powerful vulnerability monitoring SaaS platform. Protect your business proactively - get in touch today for personalized digital security solutions.