Luxury US department store Saks Fifth Avenue accidentally made public the personal details of tens of thousands of its online customers, exposing them to the risk of follow-on fraud and cyber-attacks.
Email addresses, names and some phone numbers were discovered in plain text on the store’s website, relating to customers who had signed up to waiting lists to buy products, according to BuzzFeed News.
It’s unclear how long they were publicly accessible for, but the store’s owner – Canada-based Hudson’s Bay Company – apparently took them offline when contacted.
A statement from the firm sought to play down the seriousness of the privacy snafu:
“We want to reassure our customers that no credit, payment, or password information was ever exposed. The security of our customers is of utmost priority and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller percent.”
Some of the exposed email accounts belonged to government employees, according to the report.
Javvad Malik, security advocate at AlienVault, argued that firms are primarily focused on protecting payment card and password data – although these credentials are relatively easy to replace.
“Personal, and personally identifiable information on the other hand isn’t so easy to change or replace once it is out in the wild. Therefore, it merits just as much, if not more protection than payment data or passwords,” he added.
“Criminals know the value of this and will go after companies, regardless of size or vertical. Therefore, all companies need to take the threats into consideration when dealing with sensitive information.”
Follow-on phishing, vishing and other fraud attempts are a common way to monetize such information.
As if that wasn’t enough, the report also revealed that the Saks website is not 100% HTTPS, meaning that man-in-the-middle snoopers could grab customer log-in-related information.