in

500k People – Amber Windows UK, Data Breach

29th July 2020, TurgenSec Limited, Statement v1.0

This data breach occurred when Amber Windows/Amber Commercial (Amber U.P.V.C. Fabrications Limited), an FCA regulated company, left a database open to anyone with a browser and an internet connection. 

I was impacted by this data breach >

Archive of statement updates:

  • 29th July 2020 – V1.0 Released

Note: Throughout this disclosure ‘Amber Windows/Amber Commercial (Amber U.P.V.C. Fabrications Limited)’ shall be referred to as Amber Commercial. 

The database contained 234.6 million records, including the personal information of over 500,000 UK individuals. The sensitive headers observed are listed below while a summary of the data headers can be found in Appendix A. 

TurgenSec acted in good faith attempting to communicate with Amber Commercial, but was stonewalled after providing information about the breached site. 

Note: TurgenSec followed both its own Responsible Disclosure policies and the publicly listed policies and appropriate contact details of Amber Commercial.  

The outreach log to Amber Commercial can be found in Appendix B. 

Sensitive Data Heading summary:

  • Title
  • Name
  • Phone Number
  • Full Address
  • Area Name
  • Door Number
  • Postcode
  • IP
  • Password (plain text)
  • Username
  • Mobile Number
  • Email
  • Employee Number
  • Bank Account Number
  • Bank Name
  • Bank Sort Code
  • Employment Type
  • User Agent
  • Date
  • Payment Method
    • Finance Method Group ID
    • Name
    • Is Active
    • Is Cash
    • Is Finance
    • Finance Percent

The ‘Notes’ section of this database contained notes made about individuals which often incorporated sensitive personal information. This included (but was not limited to) sexuality – e.g. “this couple are lesbians”, illnesses – e.g. “this man has cancer”, comments on family disputes, details about financial standings and divorces.

Note: we are able to say this having observed the publicly visible data, during our breach severity triage process.

Are you in the Amber Commercial data breach or were you a customer of Amber Windows?

TurgenSec has been informed that there are potential legal claims against Amber U.P.V.C. Fabrications Limited relating to this breach. 

Update 16th September 2020: Amber do not accept a breach has occurred and have not notified any potential victims. Due to this, the ICO are investigating and if established that there has been a breach, Irvings can assist.

If you were a customer of Amber Windows or suspect they may have gathered data on you (perhaps you got a quote from them), then we encourage you to issue a GDPR request to Amber Windows to ascertain how much data about you was breached. 

Irvings Law, a reputable law firm with experience in obtaining compensation for victims of data breach, has informed TurgenSec of potential no-win-no-fee claims for people impacted by this data breach.  TurgenSec has a relationship with Irvings Law and TurgenSec encourages all impacted to contact Irvings Law for the consideration of a claim for compensation. TurgenSec may receive a small gratuity from referring people to join this claim.

Unfortunately some companies will not change their practices and respect user data unless it impacts their bottom line. Be part of this positive change for data rights by ensuring your rights are protected.

Summary

  • During the development of our DataShadow product, our security researchers discovered a sensitive open database accessible to anyone with a browser and internet connection.
  • We made efforts to identify the owner of this database, and came to the conclusion that it was owned by Amber Commercial (Amber U.P.V.C. Fabrications Limited).
  • We made increasingly escalating attempts to contact those responsible for securing the database in order that they could close the data leak following Amber Commercials own publicly listed policies. 
  • We also contacted Amber Commercial through their preferred mechanism for reporting privacy issues as stated in their privacy policy on their website:
    • “If you suspect any misuse or loss or unauthorised access to your Data, please let us know immediately by contacting us via this e-mail address: [email protected]
  • The company was unresponsive and those we communicated with closed the database after disclosure but then refused to interact with us. 

Due to the sensitive nature of the data, which we judged to be of high risk to the rights and freedoms of individuals involved, our number one priority was to close this security hole.

Since this data has probably been publicly accessible for a long time, our intention is to ensure the affected individuals are informed of the breach so they can act appropriately to protect themselves.

Disclosure Process

TurgenSec worked in line with its Responsible Disclosure Policy at all times, triaging the database the minimum amount to ascertain whether or not it should be in public domain, and when it was clear it should not be, who its owner was. 

Appendix A – Data Headings as Observed by TurgenSec

Data headings relating to building/construction work, financial transactions, personal data, commercial activities, sales pipeline, lead generation, staff information, logins, and open ended data input. 

Appendix B – Outreach to Amber Commercial:

  • 28th February 2020 – The web portal for Amber Commercial listed the mobile number of an individual to contact in case of issue. TurgenSec sent the below message to that number: 

I got your number from AmberCommercial.com. I am a security researcher for a cyber security startup and I want to report an open database to you or your internet team at Amber Commercial so that you can get a password put on it and prevent any breaches. 

I am not trying to get anything out of this, just informing you of an open database.

  • 7th May 2020 – TurgenSec sent an email to [email protected] disclosing the breach, informing them of IPs and redacted screenshots with enough information to cross reference and confirm our legitimacy. 
    • TurgenSec also sent its Responsible Disclosure Policy. 
  • 7th May 2020 – A TurgenSec director called the mobile number listed on the website. 
    • The person answering the phone confirmed that they were the individual we expected.
    • They were keen to know which site there was a problem with. We informed them it was Amber Commercial.
    • TurgenSec requested an email address to send through the full details.
    • The individual informed us they did not have an email address and hung up.

TurgenSec conducted preliminary OSINT on the individual and found two publicly listed emails and Google Forum posts asking numerous questions about how to set up a document database identical to the one breached. 

Within the Google Forum posts the individual claims to have corrupted a large database matching the breached one that takes over ‘24 hours to export’.

  • 7th May 2020 – The database was closed following this phone conversation.
  • 18th May 2020 – A TurgenSec director called the mobile number listed on the website in an attempt to open a dialogue, but did not get through. 
  • 19th May 2020 – A TurgenSec director called the mobile number listed on the website in an attempt to open a dialogue, but did not get through. 
  • 20th May 2020 – A TurgenSec director used an outbound VOIP provider to call the mobile number listed on the website in an attempt to open a dialogue, but did not get through.
  • 23rd May 2020 – A TurgenSec director used an outbound VOIP provider to call the mobile number listed on the website. An individual answered and mid way through explaining the situation the individual told us “not to worry about this” and hung up. 
  • 5th June 2020 – TurgenSec could not open a line of communication with Amber Commercial and the database has been closed, so, in line with our responsible disclosure policy, we emailed [email protected] informing them of the dates and times we tried to contact them and that we intended to proceed in line with our responsible disclosure policy. 
  • 10th June 2020 – A BBC journalist contacted Amber Commercial and put us in contact with an employee. TurgenSec explained the situation to this employee who claimed to have not received any of our emails and that we were lying.
    • TurgenSec resent the original emails along with our responsible disclosure policy, but notes that the original emails sent were opened according to email tracking.
  • 25th July 2020 – TurgenSec emailed Amber Commercial requesting confirmation of their response to this data breach. 

“Over a month has elapsed since TurgenSec made Amber Windows aware of a data breach that impacted 500,000 individuals and contained sensitive personal information as defined by GDPR.

Under GDPR you are obliged to inform the impacted individuals, alongside this, our Responsible Disclosure Policy states the need for public disclosure. 

We have, as of the 24th of July, not observed any public disclosure of this data breach from Amber Windows, nor have we seen any indication that Amber Windows has informed the 500,000 impacted individuals of this data breach. 

Please can you inform us of your intentions to publicly disclose this data breach. 

Please may you also inform us of how many of the 500,000 impacted individuals you have informed. 

If we do not hear back from you we will proceed in line with our responsible disclosure policy which I attach for your convenience.”

  • Amber Commercial replied to this email, but did not provide any assurances.