24,000 Abandoned Redbox DVD Rental Kiosks Are Leaking Sensitive Customer Information
from the privacy-shmivacy dept
You probably remember Redbox, the DVD-rental kiosk company that went went bankrupt last June. The story behind the bankruptcy is interesting, in case to you missed it. The company failed to pivot to streaming (you might recall the failed joint venture with Verizon), and the bankruptcy has been profoundly ugly in a scorched Earth kind of way.
Frustrated employees (who stopped receiving health insurance last May) have apparently been stripping the company for parts, including selling used DVDs all over eBay. The company’s kiosks have also been left abandoned everywhere. 404 Media had a good story about how some innovative tinkerers have been making interesting use of the abandoned machines (of course they’re capable of running Doom).
But Ars Technica notes another problem: many of the abandoned machines still have the sensitive data of customers left on the hard drives. That includes rental histories, email addresses, zip codes, and, in some cases, credit card numbers, all going back to at least 2015:
“[The Redbox] logged lots of information, including debugging information from the transaction terminal, and they left old records on the device. This probably saved them some time on QAing software bugs, but it exposed all their users to data being leaked.”
There are numerous mistakes here, including storing any of this data locally and logging way more data during transactions than was reasonably needed. Flaws that transparent security research could have identified and prompted a fix for before it became a problem.
Redbox and its corporate parent, Chicken Soup for the Soul Entertainment, clearly not only sucked at business, but sucked at sucking at business. They were warned about potential privacy violations during bankruptcy proceedings. Pretending for a minute the U.S. isn’t too corrupt to pass modern privacy laws, there’s not much of a company left to hold accountable for the privacy-related “oversight.”
Now a lot of this data is old. And however bad this sounds it can’t hold a candle to the data collected on you by a vast array of dodgy international regulators, who routinely leak vast U.S. consumer datasets into the wild because the U.S. is literally too corrupt to pass a basic privacy law or regulate data brokers.
Still, it’s a problem: as the Wall Street Journal notes, there’s an estimated 24,000 of these abandoned rental kiosks scattered all over the U.S., and retail landlords are struggling like hell to just find somebody to come take them away.
Filed Under: bankruptcy, consumers, data, dvd rental, kiosks, privacy, red box kiosk, security
Companies: chicken soup for the soul, redbox
Comments on “24,000 Abandoned Redbox DVD Rental Kiosks Are Leaking Sensitive Customer Information”
This is a rare case in which we don’t have to pretend. U.S. legislators did pass a privacy law about video rentals, as noted by Ars: the Video Privacy Protection Act, because the idea of their 1987 viewing records being leaked got them really worried.
Leaving this information unencrypted (or with encryption keys ALSO on the system) is … hard to justify.
Free Credit monitoring for the soul
As if we didn’t have enough to worry about with microplastics floating around in the ocean. Now we have to worry about Redboxes too?
Burying them in a landfill would not help
If those abandoned Redboxes were to be buried in a landfill they would continue to leak customer information into the groundwater and surrounding environment.
Which of course brings up the question...
What really can any regulator do to a bankrupt company? There’s plenty of toxic landfills to attest to the fact that the answer seems to be “not much”…
And a few years later, how easy is it to apportion blame to any particular executives?
Re:
Bankruptcy doesn’t mean they’re out of money. It just means they don’t have enough to pay off their creditors, and courts will need to decide who gets how much.
A regulator can fine such a company, thus becoming one of those creditors and potentially depriving lower-priority creditors of repayment. We’d hope that this would make banks, potential bond-buyers, and other investors think twice: before we give you money, we want to know how you’ll protect privacy (especially in cases like this where there is, in fact, a relevant privacy law).
Of course, if the bankruptcy proceedings are already closed, it might be too late, but maybe courts will consider this for future asset disposals.
ITS CASH MONEY
“because the U.S. is literally too corrupt to pass a basic privacy law or regulate data brokers.”
I dont know if this is true, but as to data protection the USA is VERY very bad. They dont even follow the laaws they created Already.