SimpleTire loses 1 million customer records in data breach

At the end of May, Cybersecurity Researcher, Jeremiah Fowler, announced that he had discovered “a non-password protected database that contained over a million customer records.” They were SimpleTire customer order confirmations, which – according to Fowler – “exposed…the customer’s name, phone number, physical address and partial credit card number with expiration dates.”

Fowler reports that he immediately sent a responsible disclosure notice to several email addresses at SimpleTire. However, despite “multiple email notices”, the database remained open and publicly accessible for more than three weeks. In addition to the kind of receipt data you would expect on order confirmations, the database contained “references to the installers’ information, return requests, wholesale pricing records, and what appeared to be images used on the website and in email communications”. Still no reply to the responsible disclosure notices was received, but a few days after the three week period, the database became restricted from public view.

The problem is that, by that point, a total of 2,808,697 items filling a 1 terabyte of data has been exposed. That includes the aforementioned 1,189,151 order confirmation records in PDF format and more.

A further particular problem in this case is that nearly all of the first 6-digit credit card Issuer Identification Numbers (IIN) can be found online. When combined with the known last 4 digits, criminals would know at least 10 of the total 16 credit card number digits. That leaves only 6 numbers to guess. Some sources report that a 7-digit code could be solved in 31 seconds, while one with 6 or fewer characters could be cracked “almost instantly”.

The report does not imply “any wrongdoing by SimpleTire, their installers, or partners”, but it will be a something of blowout for the fast-growing tyre etailer on its ongoing road to success.

Tyres & Accessories contacted SimpleTire for comment.