Gearbest: Not the Best

Posted 18th March 2019 by Dave Cross
Gearbest has been running for five years, selling a wide range of vaping equipment to millions of customers. To mark the sixth year of trading, the company recently rebranded to reflect its values and vision. Unfortunately, this didn’t include protecting personal identification information – including banking data.

Gearbest’s design team met last year to create an “energetic brand message”. The project remit was to create a simpler logo and slogan in order to convey “a modern vision” of the company, all based around the letter “G” to resemble a “classic smile”.

"We spent 4 months working on this grand upgrade from sending questionnaires to consumers to comparing hundreds of logos and proposals. This is really big for us, and for Gearbest," Director of UED centre Thor Zhao said.

Branding director Lilac Luo added: “It is the perfect breakthrough point to transform the image, strategies and brand philosophy. We completed our closed-loop supply chain by building up a management and control system on purchase, storage, sale, and delivery, which will be crucial and a strong support for branding in the future.”

They chose to keep the old black and white and include yellow; a colour traditionally associated with luck, power, royalty and prosperity in China. Unfortunately, yellow also has a strong association with pornographic publications, so its use comes with a caution when incorporated into brand designs.

The link to pornography is quite appropriate in this context as it gives rise to an unprintable word that would encapsulate how millions of Gearbest customers must be feeling this week.

All the meetings about font type and colour counts for nothing when the most of the private customer information was stored in unencrypted files on an Elasticsearch database.

Information included:

  • Full names
  • Addresses
  • Phone number
  • Email addresses
  • Products purchased
  • Payment methods
  • Invoice information
  • Active bank payment vouchers with the unique barcodes – meaning the information could be used to pretend to be the holder of the relevant bank account

The information containing personal identifiers and private banking data as a Kafka misconfiguration allowed anyone to take or change anything. Noam Rotem, a cyber-security specialist and white hat hacker identified the flaws at the beginning of March.

It is reported that Gearbest failed to respond to or act upon this information. Data has not be secured as of the end of last week, according to Rotem.

Brian Johnson, CEO of DivvyCloud said: “Gearbest’s incident stands out since passport numbers, national ID numbers and full sets of unencrypted data, including email addresses and passwords were among the exposed information.”

“This data could allow hackers to easily steal Gearbest’s customers’ identities by cross-referencing with other databases, and allow malicious actors access to online government portals, banking apps, health insurance records, and more.”

“Organisations like Gearbest must learn to be diligent in ensuring data is protected with proper security controls.”

Security company Avast states: “All customers of Gearbest are advised to monitor all credit card and bank accounts. The personal information leaked online provides everything a bad actor would need to access a customer’s money and then some.”

“All potential victims should change their passwords immediately. Regularly changing and storing complex passwords is easy with a password manager.”

As Gearbest has warehouses in Spain, Poland, Czech Republic and the U.K., EU data protection and privacy laws apply: if it is found guilty of violating the General Data Protection Regulation it can be fined up to 4% of its global revenue.

 Dave Cross
Article by Dave Cross
Freelance writer, physicist, karateka, dog walker