B&Q says it has taken action after being told that it exposed details of suspected store thieves to the net without password protection.
The matter was brought to light by a security researcher last week.
He said the DIY chain had taken the data offline, but was unable to get a response from the company himself.
“We have closed the issue down and are continuing to investigate how it occurred,” a B&Q spokeswoman told the BBC on Monday.
According to Lee Johnstone, chief executive of Ctrlbox Information Security, the exposed records included 70,000 offender and incident logs.
He blogged that these included:
- the first and last names of individuals caught or suspected of stealing goods from stores
- descriptions of the people involved, their vehicles and other incident-related information
- the product codes of the goods involved
- the value of the associated loss
One example of the details logged read: “Offender ran out of the fire exit with Nest thermostats. The male on this occasion got away. There is no CCTV footage covering this area.”
Mr Johnstone wrote that the data was kept on an “Elasticsearch server” – an open source search engine technology that had not been set up to require user-ID authentication.
A spokeswoman for B&Q said that it believed the number reported in the blog was wrong and that there were a number of other inaccuracies in the text, but declined to say what they were.
“Our continuing investigation will help us decide whether an ICO [Information Commissioner’s Office] notification is required,” she added.
There are no reports that the database had been accessed by any other non-authorised party.
But Mr Johnstone wrote that he had sent several messages to the firm before the logs became unavailable on 23 January, which was 11 days after he had first emailed the business.
“Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms,” said a spokeswoman for the watchdog when asked about the incident.
“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”