A Romanian web platform owned by the international tobacco company British American Tobacco (BAT) has suffered a data breach and ransomware attack. 

The data breach was discovered on an unsecured Elasticsearch server located in Ireland, which involves close to 352 GB of data. In addition, they found that hackers had already gotten to the data and that the server also contained a readme file with a ransom request, in which a hacker or group of hackers threatened to delete the data from the server if their demands aren’t met. The hackers are demanding a Bitcoin payment in exchange for the data.

Noam Rotem and Ran Locar, internet privacy researchers from vpnMentor, found the data breach on a server connected to the web platform YOUniverse.ro. The web platform is part of a BAT Romania promotional campaign targeting adult smokers, says vpnMentor.

BAT is based in the United Kingdom. It is one of the world’s largest manufacturers of tobacco and nicotine products. Through the platform, Romanian residents can win tickets to parties and events featuring well-known local and international performers. "Romanian law prohibits most kinds of tobacco advertising. However, the law permits certain types of promotional campaigns and event sponsorships that exclusively target existing smokers over the age of 18," says the report. 

The data breach involves sensitive personally identifiable information (PII) of users, such as: 

  • full name
  • email
  • phone number
  • date of birth
  • gender
  • source IP
  • cigarette and tobacco product preferences

Despite multiple attempts by the team to disclose the breach, the database remained open and unsecured for over two months. Starting on September 22nd, the research team repeatedly tried to contact the company (the local branch, as well as the global company), the server’s hosting company, Romania’s National Authority for Consumer Protection (ANPC) and the certification authority (CA). The only party the researchers heard back from was the CA. They also contacted several Romanian journalists asking for help getting in touch with the company, but they have yet to receive a reply.

As of November 27th the database was finally closed, but nobody ever replied to the researchers. 

For more information, visit the vpnMentor website