América Retail | Homepage
Thursday, March 30, 2017

La primera comunidad del retail en Latinoamérica

Sostenibilidad: Exposed Personal Info On Tens Of Thousands Of Customers

Sostenibilidad: Exposed Personal Info On Tens Of Thousands Of Customers
Marzo 20, 2017

👤Periodista: Klaudia Musiol Fuente: https://www.buzzfeed.com/leticiamiranda/saks-fifth-avenue-exposed-personal-info?utm_term=.daY10OwyL3&ncid=newsltushpmgnews#.apwrG3Kj6v 🕔20.Mar 2017

The personal information of tens of thousands of customers of Saks Fifth Avenue has been publicly available in plain text online, BuzzFeed News has learned.

The online shopping site for the brand is maintained by the digital division of its owner, the Canada-based Hudson’s Bay Company. Until recently, unencrypted, publicly accessible web pages on the site contained tens of thousands of records for customers who signed up for wait lists to buy products.

The records included email addresses and product codes for the items customers expressed interest in buying; some also contained phone numbers. Each record also included a date and time, and one of a handful of recurring IP addresses.

The pages, which were reviewed by BuzzFeed News in recent days, were taken offline after HBC was contacted for comment on this story. The Saks website also serves logged in customers some pages over unencrypted connections, leaving online shoppers’ information vulnerable to hackers while they browse the site on an open Wifi network.

“This is as bad as security gets,” said Robert Graham, a cybersecurity expert and owner of Errata Security, to BuzzFeed News. “Everyone is vulnerable.”

“We take this matter seriously,” a Hudson Bay Company spokesperson told BuzzFeed News. “We want to reassure our customers that no credit, payment, or password information was ever exposed. The security of our customers is of utmost priority and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller percent.”

Here’s a redacted screenshot of the kind of information that was publicly available

Here's a redacted screenshot of the kind of information that was publicly available

It is unclear why the information was publicly available online. But a Hudson Bay Company spokesperson told BuzzFeed News it has “teams dedicated to the security of our customers’ data and follow industry best practices for information security.”

The Canadian retailer is the oldest continually operating business in North America, with roots dating back to a fur trader founded in 1670. The company is currently on the hunt for a major new U.S. department store acquisition, and has been in takeover talks with both Neiman Marcus and Macy’s, the New York Times reported last week.

One publicly-accessible page viewed by BuzzFeed News included a number of Gmail, AOL and Hotmail addresses, along with work email accounts from JPMorgan, Charter Communications and government addresses. These were often paired with phone numbers left by the customer.

Graham, the cybersecurity professional who reviewed some of the vulnerabilities after being contacted by BuzzFeed News, said they could expose people to further security headaches.

“Where there’s smoke, there’s fire,” he said. “There is probably a way to get password information, but you would have to search further.”

The online shopping sites also use a mix of secure and non-secure pages, which can pose another vulnerability to shoppers.

On Saks Fifth Avenue’s homepage, a small notification appears in the website bar warning users that the connection is not secure. Even when a shopper is logged into their account, a number of the site’s other pages do not require secure browsing, which a user can verify when “https” appears ahead of the URL.

Graham said that this mix of secure and non-secure pages can leave a shopper vulnerable when browsing on an open WiFi network, as are commonly found in coffee shops and other public places.

A hacker using the same wireless network as a Saks online shopper could eavesdrop on their connection in some circumstances, intercepting data that could allow them to login to the system as the customer in the future, making purchases and grabbing personal information.

“The solution is for every webpage to be encrypted, not just the login,” said Graham. “They should all be https links.”

UPDATE

This article was updated with more information on the data that was made publicly accessible, and the IP address details included in each record.

Articulos relacionados

Sostenibilidad: ¿Hay relación entre la alimentación y el cambio climático?

Sostenibilidad: ¿Hay relación entre la alimentación y el cambio climático?
Marzo 30, 2017

Las dietas más sanas podrían contribuir a reducir hasta en un 17% las emisiones de

Sostenibilidad: ¿Qué están haciendo las empresas para consolidarse con los jóvenes?

Sostenibilidad: ¿Qué están haciendo las empresas para consolidarse con los jóvenes?
Marzo 30, 2017

El 66% de los millennials están dispuestos a pagar más por productos y servicios procedentes

Sostenibilidad: Warnings over children’s health as recycled e-waste comes back

Sostenibilidad: Warnings over children’s health as recycled e-waste comes back
Marzo 28, 2017

Warnings over children's health as recycled e-waste comes back as plastic toys. Flame retardants used in

Sostenibilidad: Consumidores se rebelan en Lima: precio baja más de 70% en tres días

Sostenibilidad: Consumidores se rebelan en Lima: precio baja más de 70% en tres días

Marzo 24, 2017

Consumidores se rebelan en Lima: Dejan de comprar limones y su precio baja más de

Sostenibilidad: Dunkin’ Donuts is killing the Coffee Coolatta

Sostenibilidad: Dunkin’ Donuts is killing the Coffee Coolatta
Marzo 23, 2017

Dunkin' Donuts is ditching its Coffee Coolatta. This summer, the coffee chain will discontinue its frozen coffee

Últimas Noticias

Newsletter

SECTIONS

América Retail