Raven Hengelsport Data Breach Exposes 18GB of Customer Data


The cybersecurity researchers from Safety Detectives uncovered an insecure Microsoft Azure Blob storage server linked to the Raven Hengelsport retail outlet (also called Raven Fishing B.V.), with PIIs presumably accessible for malicious hackers belonging to hundreds of thousands of consumers. 

Headquartered in Dronten, Netherlands is Raven Hengelsport, engaged in fishing gear and equipment. While online offering Raven.nl offers a wide choice of products, the corporation has many significant shops in the Netherlands and across Europe. 

In early March, the cybersecurity branch of antivirus screening site SafetyDetectives found the unsecured Azure Blob Storage Server with 18 GB of company data spanning at least 246,000 users in over 450,000 entries. Raven provides its clients across the Netherlands and Europe with a large variety of products in the retail industry. The website of Raven.nl works as a fishing supermarket to provide everything from conventional goods such as rods, rollers, and tackle boxes to more comprehensive merchandise such as tents, boats, and articles of clothing. 

"These files contained records that consisted of two different data sets, order details, and logs of PII, both of which expose the sensitive personal information of Raven's customers," the company's write-up this week explained. 

Raven.nl Order Details — include customer identifiers, delivery information, rebates, shipping charges, transactions, and tracking numbers of shipments. Customer PII [Personally Identified Information] - names, surnames, residence location, and phone numbers, e-mail, and even titles of a certain company's clients were also exposed. 

A great amount of the information leaked on the server is customer information with a total of 425,000 records of them being leaked. PII consumer data was leaked into several data rows, some even outlining the titles of key customer companies. 

Nevertheless, the situation was extremely hard for Raven, popularly known as Raven Fishing. 

"We immediately tried to get in touch with Raven once we discovered the open database, but did not receive a response from Raven regarding the breach," SafetyDetectives' researchers noted. "We later attempted to contact Raven through the live chat feature on their website.” 

The team sought to contact Raven as soon as the open database was detected, however they were not answered by Raven about the infringement. 

Afterward, they tried to get in touch with Raven via the live chat on their website. When the team first tried reaching Raven, the customer care officer concluded the live conversation without answering their statement. 

At the second attempt, the team was linked to the same employee who said they can not provide additional contact information. They were advised that their demand would be forwarded to the concerned parties and that if Raven found it appropriate, they would be approached. 

SecurityDetectives also notified Microsoft of this fault, however, MSRC refused to take any measures concerning the still-exposed server. The general customer care of Microsoft was also characterized as "not helpful," as it didn't help security researchers raising someone technical at Raven to see the data secured. 

An infringement of data of this kind has harmful effects for both Raven and its innocent clients, who have their personal information revealed. 

Raven is likely to be subject to EU data protection laws (GDPR), which could charge them up to €20 million in the company's territory or 4% of the yearly turnover of Raven (whichever is greater). However, it's the best way to deal with a data violation. If the GDPR decides to impose sanctions, small and medium-sized enterprises are more likely to obtain a mild punishment.