Fashion giant Express has patched its website to fix a security flaw that allowed anyone to view other people’s order details and personal information, TechCrunch has exclusively learned. At least a dozen orders from Express customers had appeared publicly in web search engine results.
The security breach exposed order confirmation pages on Express’s online store, revealing details of purchases and who made them.
The exposed information contained customer names, phone numbers, and email addresses; postal, billing and delivery addresses; order details, including the items a customer purchased; and partial payment card information, including card type and last four digits.
Express is a large clothing retailer with hundreds of stores in the United States, Mexico and Latin America. The once publicly traded company is now run by WHP Global, which also owns several fashion and retail giants.
Rey Bango, a security and privacy advocate, accidentally discovered the flaw after investigating a fraudulent purchase on a family member’s account, but found no way to report the flaw to Express. Bango asked TechCrunch to alert the company in an effort to fix the bug.
“When I tried to Google whether the order number was a legitimately formatted Express order number, I saw a link to another order and someone else’s order information appeared.” Bango told TechCrunch.
TechCrunch verified that the address of the order confirmation web page could be modified to view the order and personal information of other customers. Express uses order numbers that are largely sequential, making it easy to cycle through thousands of orders by changing the order number in the web address using automated web tools.
After we contacted Express, the apparel giant fixed the flaw on Wednesday, but did not say whether it plans to notify customers about the security flaw.
When contacted for comment, Express marketing chief Joe Berean told TechCrunch: “We take the security and privacy of customer information seriously and encourage anyone who identifies a potential security issue to contact us directly.”
“Upon learning of this issue, we investigated and continue to review the matter and have no further comment at this time,” Berean said.
Berean did not say how customers could contact the company, nor did he detail whether the company plans to update its website to receive reports of security flaws, such as a vulnerability disclosure program. He did not say whether the company had the technical means, such as logs, to check whether anyone had accessed other customers’ personal information.
The executive did not respond to follow-up questions, including whether Express planned to disclose the incident to state attorneys general as required by U.S. data breach notification laws.
The Express security breach is the latest incident in recent months in which customer information was exposed to the Internet due to misconfigurations or inadvertent security breaches.
In December, a security researcher discovered that Home Depot had exposed its internal systems for a yearbut struggled to alert the company about the incident. In the same month, veterinary and pet wellness giant Petco removed its website after TechCrunch discovered that the company Vetco Clinics site was disclosing customers’ personal information and your pets’ medical documents.
