UAE: IT service provider for Dubai Duty Free With DataBreach











Today we're talking about a commercial enterprise located in the United Arab Emirates. This information came from an IT service provider for Dubai Duty Free called touchworldtechnology.









Dubai Duty Free (DDF) is a retail operation at Dubai International Airport (DXB) and Al Maktoum International Airport (DWC), recognized worldwide as one of the largest and most successful duty-free shops in the world.






What data was exposed?

Here you can see the open directory when it was exposed






An open directory containing 90GB of information was exposed at the time, likely due to an error or misconfiguration.






While reviewing the folders, I found data that shouldn't have been publicly exposed. According to my information, this data had been exposed since the beginning of the year. I discovered it in early September, so imagine how long it had been exposed.






What files did that open directory contain?

A ship bill internal document from Dubai Duty Free






At first, I saw Excel spreadsheets, invoices, test invoices—irrelevant things—but as I continued, I saw passports -id cards, which started to worry me. I also saw an env file containing the entire MySQL database configuration with its username and password, as well as the configuration of the bucket on http://digitaloceanspaces.com with its access key and secret.







So, someone backup the bucket and left it exposed?






Notification:






I sent an email to DDF on September 3rd warning them about this situation. When I saw that no one responded, I sent an email to the AE Computer Emergency Response Team (AECERT) on September 5th. No one replied, but on September 10th, I received an email thanking me for my concern and saying they would forward the email to the appropriate department.




This was closed on September 13th, according to my follow-up.