Hobby Lobby, the American arts and crafts giant that also happened to purchase thousands of ancient artifacts looted from modern-day Iraq, exposed a large amount of data online, including customer names, phone numbers, physical and email addresses, and the last four digits of their payment card, as well as source code for the company’s app, according to a security researcher.
The data was as recent as 2020, impacted more than 300,000 users, and totaled at around 138GB in size, the independent and pseudonymous security researcher known as “boogeyman” who discovered the leak, told Motherboard in an online chat.
Boogeyman provided multiple screenshots of the data to Motherboard for verification purposes. Those images indicate the information was hosted on an open AWS bucket, a common source for inadvertently exposed data. The data also included Hobby Lobby employee names and email addresses, Boogeyman added.
“We identified the access control involved and have taken steps to secure the system,” Hobby Lobby told Motherboard in an email. Boogeyman said they previously tried to warn Hobby Lobby of the issue but received no response.
It is unclear whether Hobby Lobby is going to notify impact users.
Hobby Lobby was the driving force behind a 2014 Supreme Court ruling which found that the government cannot force employers to provide insurance coverage for birth control if that would run against the employer’s religious beliefs, radically changing how women can obtain the pill or other contraception. Hobby Lobby’s owners founded the Museum of the Bible in Washington, DC.
Hobby Lobby is suing auction house Christie’s for selling an antique that authorities later said was looted.
Commenting on the news is Javvad Malik, security awareness advocate at KnowBe4: “Many organisations are taking advantage of cloud storage offerings such as AWS buckets. However, security always remains the users responsibility, regardless of what measures the cloud provider puts in place. This includes ensuring settings are applied correctly so that private information is not inadvertently exposed.
Fixing these issues doesn’t require a great deal of technical knowledge, because the features are built into the platforms. What it does need is a culture of security where processes are put in place to ensure people can correctly identify which data needs to be secured, put in place the right controls, and validate they are working as expected.”