Thousands of Redboxes getting dumped
It's worth noting that the amount of data expected to be stored on Redboxes is small compared to Redbox's overall business. Since Redbox once rented out millions of DVDs weekly, the data retrieved only represents a small portion of Redbox's overall business and, likely, of business conducted on that specific kiosk. That might not be much comfort to those whose data is left vulnerable, though.
The problem is more alarming when considering how many Redboxes are still out in the wild with uncertain futures. High demand for Redbox removals has resulted in all sorts of people, like Turing, gaining access to kiosk hardware and/or data. For example, The Wall Street Journal reported last week about a "former Redbox employee who convinced a 7-Eleven franchisee" to give him a Redbox, a 19-year-old who persuaded a contractor hauling a kiosk away from a drugstore to give it to him instead, as well as a Redbox landing in an Illinois dumpster.
Consumer privacy concerns
Chicken Soup's actions may violate consumer privacy regulations, including the Video Privacy Protection Act outlawing "wrongful disclosure of video tape rental or sale records." However, Chicken Soup's bankruptcy (most of its assets are in a holding pattern, Lowpass reported) makes customer remediation more complicated and less likely.
Mario Trujillo, staff attorney for the Electronic Frontier Foundation, told Ars that this incident "highlights the importance of security research in uncovering flaws that can leave customers unprotected."
"While it may be hard to hold a bankrupt company accountable, uncovering the flaw is the first step," he added.
Turing, which reverses engineers a lot of tech, said that the privacy problems she encountered with Redbox storage "isn't terribly uncommon."
Overall, the situation underscores the need for stricter controls around consumer data, whether it comes internally from companies or, as some would argue, through government regulation.
"This security flaw is a reminder that all companies should be obligated to minimize the amount of data they collect and retain in the first place," Trujillo said. "We need strong data privacy laws to do that."