Welcome to Lowpass! This week: Out-of-commission Redbox kiosks contain valuable customer data, and Meta knows how to stack boxes.

Reverse-engineering reveals Redbox’s sloppy privacy practices

Have you ever rented a DVD from a Redbox kiosk? If so, then it’s possible that your rental data, along with most digits of your credit card and other personally identifiable information, is now in the hands of strangers. New findings from a hacker who has been examining the data stored on the hard drive of one of the kiosks reveal that the company apparently kept copies of detailed data of some transactions for years without proper safeguards.

Bay Area-based reverse engineering enthusiast Foone Turing recently got her hands on the disk image of a Redbox kiosk hard drive, and discovered that it included a file with detailed rental data for around 2500 transactions going back nearly a decade.

“[It] contains records for when stuff is rented [including] email addresses, DVD/bluray titles, times, zip codes,” Foone told me via email. With that data, she was able to easily identify someone who rented the movie The Maze Runner from a Redbox kiosk in Morgantown, North Carolina in May of 2015.

But that’s not all: Rebox apparently also saved some payment data on those drives. “The device talks to a secure payment transaction device (so there's no logs of full credit info) but it logs a bunch of stuff that it really shouldn't: We've got the first 6 and last 4 [digits] of each credit card used, plus some lower level transaction details,” Foone said.

I recently wrote a story for Sherwood News about Redbox’s chaotic final chapter: The company went bankrupt this summer and is slated to be liquidated, but most of its assets are in a holding pattern as the company’s main creditor, its original owner and a court-appointed trustee struggle to agree on a path forward.

Meanwhile, the bankruptcy court overseeing Redbox’s liquidation has given retailers the go-ahead to get rid of thousands of kiosks remaining on their properties. That’s a risky move, as a company called Automated Kiosk Advisors pointed out in a court filing in August, cautioning that kiosk hard drives could contain “credit/debit card data, email addresses, zip codes, customer names and associated movie rental history.”

Turns out they do, if only for a subset of transactions.