# The Redbox Bankruptcy: A Data Privacy Catastrophe on the Horizon
In recent times, the downturn of physical media has become clear, with streaming platforms dominating the entertainment landscape. One of the most emblematic icons of the DVD rental age, Redbox, has encountered considerable difficulties. The company, previously a leading force in the rental industry, has now sought Chapter 7 bankruptcy under its parent organization, Chicken Soup for the Soul. While many express worries about the fate of the red kiosks and DVDs, a significantly more urgent matter has surfaced: the potential risk of sensitive customer information stored on Redbox kiosks being compromised.
## The Downfall of Redbox and Its Consequences
Redbox, famous for its user-friendly DVD rental kiosks found in grocery stores, pharmacies, and various retail environments, has been struggling amid the digital streaming surge. In June, Chicken Soup for the Soul initiated Chapter 7 bankruptcy proceedings, marking the liquidation of Redbox’s assets. As retailers hurry to eliminate the now-outdated kiosks, certain machines have ended up in the possession of hobbyists and tech enthusiasts.
While some individuals have creatively found new uses for the kiosks—such as operating the classic game *Doom* on them—others have uncovered a more troubling issue: the possibility of sensitive customer data being retrieved from the kiosks’ hard drives.
## The Data Privacy Dilemma
As reported by Lowpass and reverse engineer Foone Turing, certain Redbox kiosks possess a significant amount of customer information, including transaction histories, email addresses, zip codes, and even fragments of credit card numbers. Turing managed to recover records for more than 2,400 transactions from a Redbox hard drive, with data traced back to at least 2015. This information was kept locally on the kiosks, presumably as a backup in the event of internet failures.
Although the data saved on these kiosks represents merely a fraction of Redbox’s total transactions, the fact that any customer information is at risk is troubling. Turing’s discoveries indicate that Redbox did not implement sufficient measures to secure or adequately erase sensitive data from its kiosks prior to their decommissioning.
### What Information Was Compromised?
Turing’s research showed that the kiosks logged comprehensive details regarding rental transactions, including:
– **Customer email addresses and zip codes**
– **Titles of rented DVDs** and their rental dates
– **Partial credit card numbers** (the first six and last four digits)
– **Lower-tier transaction specifics** related to payments
While the kiosks lacked full credit card information storage, the presence of partial data combined with other identifying details still poses a significant risk to customers, especially if correlated with other data repositories.
## How Simple Was It to Access the Data?
According to Turing, extracting the data from the Redbox hard drive was relatively uncomplicated. Utilizing common, free tools, she could crack the hard drive image and recover the customer details. She observed that although the data was dispersed across various logs and databases, assembling the information was fairly effortless with basic hacking abilities.
“The device contains numerous logs, and customer details were distributed among several of them—typically fragmentary, but it’s rather easy to cross-reference them with other logs,” Turing elaborated. “With complete access to the hard drive, searching for items like email addresses and credit card numbers is straightforward.”
This level of accessibility underscores a significant weakness in Redbox’s data security protocols. The kiosks were designed to function autonomously, necessitating self-decryption without human assistance. This absence of encryption or secure data storage rendered customer information exposed to anyone with access to the hard drive.
## Legal and Fiscal Ramifications
The revelation of customer data from Redbox kiosks gives rise to serious legal and financial issues. In a court document filed in August 2024, Automated Kiosk Advisors LLC issued a warning regarding the potential hazards linked to inadequately removing and destroying the internal data storage within Redbox kiosks. The document stressed that Redbox hard drives must undergo secure reformatting to avert the exposure of sensitive personal data, such as credit card numbers, email addresses, and rental records.
The mishandling of customer data could also breach consumer privacy laws, such as the **Video Privacy Protection Act (VPPA)**, which forbids the improper disclosure of video rental information. However, with Chicken Soup for the Soul undergoing bankruptcy proceedings, holding the company liable for any data breaches may be a daunting task.
## The Wider Privacy Challenge
While the Redbox predicament raises alarm, it is not an isolated case. Turing pointed out that similar privacy concerns frequently arise across numerous sectors, particularly regarding devices that locally store customer data. The insufficient implementation of data security measures and the failure to properly erase information before retiring devices are recurring issues that place consumers in jeopardy.
Mario Trujillo, a legal representative for the **Electronic Frontier Foundation (EF)
