Fashion retailer Express has recently addressed a serious security vulnerability on its website, which unintentionally exposed customers’ order information and personal details to the public. Reports indicate that at least a dozen orders from Express appeared in online search results, allowing anyone to access sensitive customer data.
The flaw involved order confirmation pages that displayed not only purchase details but also personal information, including names, contact numbers, email addresses, and delivery information. Additionally, order specifics—such as items purchased and partial payment card information—were also accessible.
Express, known for its extensive network of stores across the United States, Mexico, and Latin America, is currently operated by WHP Global, which owns various fashion and retail brands. The security issue was uncovered by Rey Bango, a privacy advocate, while investigating an unauthorized transaction linked to a family member’s account. Bango noted a troubling discovery when researching whether a particular order number was valid, leading him to stumble upon another customer’s order information.
TechCrunch subsequently verified the vulnerability by modifying the URL of the order confirmation page to uncover other customers’ details. The sequential nature of Express’s order numbers facilitated this exploit, enabling automated tools to cycle through numerous orders by merely altering the order number in the web address.
Following TechCrunch’s inquiry, Express promptly rectified the security flaw. However, it remains unclear whether the company plans to inform affected customers about the breach. In response to queries, Joe Berean, Express’s head of marketing, emphasized the company’s commitment to safeguarding customer data and encouraged direct reporting of any security concerns. He acknowledged awareness of the issue but refrained from providing exact details on plans for customer notifications or guidelines for reporting potential vulnerabilities.
The marketing head did not confirm whether the company has the technical capabilities, such as logging mechanisms, to determine if any personal customer data had been compromised. Additionally, there was no response regarding compliance with U.S. data breach notification laws, which may require disclosure of such incidents to state attorneys general.
Express’s security incident adds to a growing list of recent occurrences where customer data has been inadvertently exposed online due to misconfigurations or lapses in security measures. Notably, in December, a security researcher discovered vulnerabilities at Home Depot that jeopardized its internal systems for an extended period, while similar breaches affecting customers’ personal data were found on Petco’s Vetco Clinics website.
In summary, the incident highlights ongoing challenges regarding digital security and the need for robust measures to protect customer information in the retail sector.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
