24,000 Abandoned Redbox Dvd Rental Kiosks Are Leaking Sensitive Customer Information
You probably remember Redbox, the DVD-rental kiosk company that went went bankrupt last June. The story behind the bankruptcy is interesting, in case to you missed it. The company failed to pivot to streaming (you might recall the failed joint venture with Verizon), and the bankruptcy has been profoundly ugly in a scorched Earth kind of way.
Frustrated employees (who stopped receiving health insurance last May) have apparently been stripping the company for parts, including selling used DVDs all over eBay. The company’s kiosks have also been left abandoned everywhere. 404 Media had a good story about how some innovative tinkerers have been making interesting use of the abandoned machines (of course they’re capable of running Doom).
But Ars Technica notes another problem: many of the abandoned machines still have the sensitive data of customers left on the hard drives. That includes rental histories, email addresses, zip codes, and, in some cases, credit card numbers, all going back to at least 2015:
“[The Redbox] logged lots of information, including debugging information from the transaction terminal, and they left old records on the device. This probably saved them some time on QAing software bugs, but it exposed all their users to data being leaked.”
There are numerous mistakes here, including storing any of this data locally and logging way more data during transactions than was reasonably needed. Flaws that transparent security research could have identified and prompted a fix for before it became a problem.
Redbox and its corporate parent, Chicken Soup for the Soul Entertainment, clearly not only sucked at business, but sucked at sucking at business. They were warned about potential privacy violations during bankruptcy proceedings. Pretending for a minute the U.S. isn’t too corrupt to pass modern privacy laws, there’s not much of a company left to hold accountable for the privacy-related “oversight.”
Now a lot of this data is old. And however bad this sounds it can’t hold a candle to the data collected on you by a vast array of dodgy international regulators, who routinely leak vast U.S. consumer datasets into the wild because the U.S. is literally too corrupt to pass a basic privacy law or regulate data brokers.
Still, it’s a problem: as the Wall Street Journal notes, there’s an estimated 24,000 of these abandoned rental kiosks scattered all over the U.S., and retail landlords are struggling like hell to just find somebody to come take them away.