DVD rental service Redbox might be confined to history, but the data privacy problems it has left for consumers might be sticking around for a while.
Redbox allowed consumers to rent DVDs from its 24,000 automatic kiosks all across the US. Its parent company, Chicken Soup for the Soul, went bankrupt in July 2024 after the rise of streaming services like Netflix and Prime Video decimated the DVD rental industry.
Ars Technica reports that one programmer managed to reverse-engineer the hard drive of an old Redbox Kiosk and was able to dig out customers’ names, emails, and rental histories from almost a decade ago. In some cases, California-based programmer Foone Turing could find parts of consumers’ credit card history stored on the hard drives, including the first six and last four digits of the credit card used and some transaction history.
Turing claimed in a social media post that she tracked down one film fan based in Morganton, North Carolina, who allegedly rented The Giver and The Maze Runner in 2015. She tells Ars that “anyone with basic hacking skills could easily pull data manually out of the files with a hex editor,” adding: “This is the kind of code you get when you hire 20 new grads who technically know C# but none of them has written any software before.”
The programmer claims she didn’t even need to access a physical kiosk to dig out the old data, and instead simply used an uploaded hard drive she found on the social network Discord.
The news comes as old Redbox kiosks are becoming collector items in some circles. The Wall Street Journal reports that one 19-year-old North Carolina resident acquired one after striking up a conversation with a contractor who was hired to throw one out.
Recommended by Our Editors
Unfortunately, legal options for any victims impacted may be slim, as “it may be hard to hold a bankrupt company accountable,” The Electronic Frontier Foundation tells Ars.
However, as Lowpass points out, Redbox kiosks may have only stored identifying personal data locally if a disrupted internet or power connection prevented it from being uploaded to the cloud.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
About Will McCurdy
Contributor
