Fashion retailer Express has recently addressed a critical security vulnerability on its website that inadvertently exposed personal information and order details of numerous customers. Reports from TechCrunch indicate that at least a dozen individual orders were discoverable via web searches, which included sensitive data like customer names, contact details, addresses, and even partial payment card information.
The flaw occurred on the order confirmation pages of Express’ online store, allowing the public to access detailed purchase histories simply by altering the order number in the webpage URL. This was made easier by Express’ sequential order numbering system, which facilitated the access to thousands of orders by using automated tools.
The issue was uncovered by Rey Bango, a privacy advocate who stumbled upon the vulnerability while investigating a fraudulent transaction on a relative’s account. Bango expressed his concerns about the lack of a direct reporting channel for such security issues to Express and requested TechCrunch to bring the matter to the company’s attention.
Upon being informed, Express rectified the vulnerability but has not clarified whether it plans to inform affected customers about the breach. Joe Berean, Express’ head of marketing, acknowledged the seriousness of the situation, emphasising the company’s commitment to data privacy and encouraging individuals to report any potential security concerns directly.
However, Berean did not provide specifics on how customers could reach out or if the company has implemented a formal vulnerability disclosure program. He also did not clarify whether there were measures in place to audit access logs to determine if other customer information had been compromised.
This security hiccup at Express joins a troubling trend where companies inadvertently expose customer data due to misconfigurations. Recent incidents include Home Depot, which had internal systems left vulnerable for a year, and Petco, whose website was temporarily taken down to address similar data leakage issues.
Express is a prominent clothing retailer operating extensively in the U.S., Mexico, and Latin America and is currently managed by WHP Global, known for its portfolio of fashion and retail brands.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
