Genius, French Postal Service App, Exposes 23 Million Records

December 12, 2019

Genius, an Android app-based cash register built by French postal service La Poste, leaked more than 23 million records.

Noam Rotem and Ran Locar, vpnMentor’s research team, found the database belonging to Genius, which integrates many different processes to help small business owners. According to the vpnMentor report, La Poste is the main postal service in France, majority-owned by the French government, and also operating in overseas territories traditionally linked with the country. It’s the second-largest employer in France. Their operations include insurance, banking, webmail hosting and many more services for private citizens.

The company also offers services for small-to-medium businesses (SMBs) in France. Genius also assists SMBs with inventory management, data reporting and analytics, accounting and many more key processes.

Upon identifying La Poste as the database’s owner, the research team reached out to them, their hosting company and The Commission nationale de l’informatique et des libertés (CNIL), France’s independent regulatory body for data privacy. The database was closed almost 3 weeks after the researcher's first contact with the French CNIL.

According to the researchers, they found more than 15 GB of sensitive information, with 23 million records originating from SMBs across France, Belgium, Switzerland, Italy, Spain and maybe more. Entries into the database were linked to payments made by customers via Genius, as well as other functions carried out on the app. Each entry contained different forms of data, depending on the action being taken by the user. These included Personally Identifiable Information (PII) data of both the Genius users and customers, along with PII about the businesses’ finances and operations.

Examples of the user data viewable of the database included:

Full names, Email addresses, phone numbers, and Dates Of Birth, of people using the app.
City of business residence and zip codes of users.
Information about products sold (label, price, barcode, etc) and transactions made via Genius.
Information about sellers (name, email, phone number).
Bills sent to customers and suppliers
Business’ Stock inventory
Both the test and genuine values of products on Genius.
Email addresses of customers who received a bill via Genius.
Total values of the business’ transactions made via Genius.
Business’ Siret number (for French business registration)
Much more

The report says that some examples of the businesses exposed include:

Nilaï – A jewelry store in Paris
By164 – A jewelry store in Paris
Lovat&Green – A unisex fashion retailer based in Bilbao, Spain
Manta – A French gift store with shipping to numerous European countries
Louisette – A French family gift store
MHD Restauration – A small, independent restaurant

To learn more details about the data breach, visit vpnMentor.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

Genius, French Postal Service App, Exposes 23 Million Records

Related Articles

Related Products

Report Abusive Comment