UK retail giant Monsoon has critical vulnerability giving unauthorized access to internal company servers

StarKenzie

Level 1
Thread author
Mar 26, 2020
14
New research from VPNpro shows that Monsoon Accessorize uses the old Pulse Connect Secure VPN version that has a known vulnerability and allows hackers to steal or ransom sensitive internal company files, customer data, and much more.

The Pulse Connect Secure vulnerability (CVE-2019-11510, rated as “critical”), which dates back to April 2019, can allow hackers to see any active users on the company VPN, as well as their plaintext passwords. They can then use this information to get into those servers for malicious purposes and could harm both the company and its clients. The threat is serious: even the US Department of Homeland Security has issued a warning urging businesses to upgrade their VPNs.

By using this vulnerability, our researchers were able to gain access to Monsoon’s internal files, including customer information, sensitive business documents, sales and revenue numbers, and much more.

We attempted to contact Monsoon multiple times via multiple channels from May 28 until June 10. At the time of writing this article, we have still received no reply and the vulnerability remains.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
They only promise secure transit of data, but nothing about storing data in a secure environment.
When you shop with us we’ll ask you for certain information (such as your email address, name, address, and where you purchase a product, your payment details) to make sure that your order and delivery go smoothly. Any information you hand over reaches us fully encrypted through an SSL – a special security layer added to your account and checkout pages.

Data inside Monsoon’s internal servers
  • Daily sales data
  • Meeting minutes
  • Business intelligence data
  • Other internal documents
  • 45,000 customer names, emails, countries and what appears to be store codes
  • Roughly 650,000 reward card and voucher numbers, many still active until 2021, with initial and remaining balances.
  • A sample file containing 10,000 customer records, including names, email addresses, phone numbers and mailing and billing addresses
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top