French-owned international sports chain Decathlon SA is the latest company to suffer a data breach as 123 million records were found on an unsecured Elasticsearch database.

The discovery was made by security researchers at vpnMentor and published Monday. The database is believed to belong to Decathlon Spain and possibly Decathlon U.K. as well.

It included employee system usernames, unencrypted passwords, API logs, API usernames and unencrypted passwords along with personally identifiable information. For employees, the information included names, addresses, phone numbers, birthdays, education details and contract details, while customer details included unencrypted emails and login information and IP addresses.

The database itself was discovered Feb. 12 and the company was notified Feb. 16, followed by the database being taken offline Feb. 17.

“The leaked Decathlon Spain database contains a veritable treasure trove of employee data and more,” the researchers noted. “It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information.”

Decathlon itself is yet to comment on the news. The company, while not known in the U.S., operates in 49 countries worldwide including parts of Europe, Asia and South America as well as Egypt, South Africa, Australia and Canada.

“Employees responsible for protecting and using data need to have a robust security program in place to understand the systems where data is stored and monitor all access,” James McQuiggan, security awareness advocate at security awareness training firm KnowBe4 Inc., told SiliconANGLE. “This database was sitting in a location viewable from the internet, unsecured and unencrypted; dangerous practices that have certainly led to the exposure of a large amount of sensitive data. To have data residing on internet-facing servers that were discoverable and contain a large amount of unencrypted and unsecured sensitive data is like leaving your back door unlocked and ajar at home.”

McQuiggan noted that the employees are potentially at great risk of identity theft, spear phishing and possibly physical harm because of all of the personal data exposed in this breach. “If the data has been stolen by criminals, they are at risk of spear-phishing emails and should be monitoring their credit accounts to make sure they are aware of all activities, like address changes, or new accounts being opened,” he said.

Photo: Yoshi Canopus/Wikimedia Commons