Decathlon is a global sporting goods retailer with over 100,000 employees and 1,700+ storefronts worldwide. In 2022, Decathlon reported 15.4 billion euros of net sales revenue, shared with 55,000 shareholding teammates. However, Decathlon suffered a significant data leak a year before its substantial revenue report. Credentials from that attack have resurfaced recently, putting the private information of nearly 8,000 individuals at risk.

How Did the Attack Occur? 

The attack did not occur due to Decathlon’s negligence but from one of their partners, Bluenove. The fault of the data breach lies with Bluenove, despite its impact directed at Decathlon employees. Bluenove, a tech and consulting solution assistant, conducted a survey and stored those answers within a misconfigured Amazon Web Service server. We suspect that the misconfiguration of Bluenove’s server may have occurred via an unchanged administration password or user negligence; the hacker could have taken advantage of the server following a user not adequately securing the data after its use.

What Information was Viewed or Stolen? 

The stolen information was part of a 61-MB database that contained sensitive employee details, including personally identifiable information (PII). The hackers obtained employee names, usernames, countries and cities of residence, phone numbers, emails, authentication tokens, and photographs. Hackers stole the same information two years ago, confirming this leak is related to the prior. The loss of employee PII is substantial, opening individuals to risk while bringing threat actors to the doorstep of Decathlon.

How Did Decathlon Admit to the Breach? 

The most recent breach is a continuation of an attack two years ago. On March 9th, 2021, a data breach was discovered by vpnMentor, prompting communication with Bluenove and Decathlon in response. Experts had mended the vulnerability on April 13th, 2021, but a single threat actor stole data within that window. Fast forward to September 7th, 2023, and another data leak is detected by vpnMentor. Shortly after this, on September 18th, Bluenove confirmed copies of the stolen 2021 database are on dark forums. As of October 14th, neither Bluenove nor Decathlon have made public statements about the breach; however, those impacted by it should expect breach notifications in the coming weeks.

What Will Become of the Stolen Information? 

It’s challenging to say what will happen with the stolen data. If cyber experts had asked the question two years ago, they may have warned against identity schemes. Now, however, other situations may unfold. Advanced phishing and impersonation attempts could be on the horizon, but more likely, hackers may be interested in authentication permissions. The theft of employee usernames and authentication tokens may point toward conglomerate network threats. At the same time, email accounts and photos may indicate private access threats. Even worse, the information could resurface later because there are multiple copies of the 61-MB database online now.

What Should Affected Parties Do in the Aftermath of the Breach? 

Decathlon employees from March 2020 to November of that year must contact Decathlon to discuss their options. They should also take measures to ensure their data is protected. They can start by updating their email and company accounts with multi-factor authentications. Those impacted should also consider hiring financial and identity monitoring services; monitoring these essential accounts can go far in mitigating damages brought on by the data breach.