Woodkirk Stone
In December 2018, bling seller Jewelers Signet rings corrected a weakness in their Kay Jewelers and Jared websites that displayed ordering information for all of their online customers. This week, the Signet subsidiary Zales.com updated their website to address nearly identical customer data exposure.
Last week KrebsOnSecurity overheard a reader browsing Zales.com and suddenly discovered they were looking at someone else’s order information on the website, including their name, billing address, address delivery, phone number, email address, items and total amount purchased. , the delivery date, the tracking link and the last four digits of the customer’s credit card number.
The reader noticed that the link to the order information she came across included a long number combination that, when changed, would produce another customer’s order information.
When the reader did not get an immediate response from Signet, KrebsOnSecurity contacted the company. In a written response, Signet said, “An issue has been brought to our attention by an IT professional. We resolved it quickly, and upon examination, we found no abuse or negative impact on customer systems or data. “
Their statement continues:
“As a business principle, we make protecting consumer information the highest priority and proactively launch independent, industry-leading security testing. As a result, we exceed industry benchmarks for data protection maturity. We always appreciate consumers contacting us with their feedback and we are committed to continuing our efforts on data protection maturity.
When Signet addressed similar weaknesses with its Jared and Kay websites in 2018, the reader who discovered and reported this data exposure said their mind quickly turned to the various ways that crooks could exploit access. information on customer orders.
“My first thought was that they could follow a bundle of jewelry to someone’s door and slide it out of their door,†said Brandon sheehy, a Dallas-based web developer. “My second thought was that someone could call Jared’s customers and pretend to be Jared, read the last four digits of the customer’s card and say there had been a problem with the order, and if he could get a different card for the customer, he could execute it right away and get the order out quickly. That would be a pretty convincing scam. Or just targeted phishing attacks. “
In the grand scheme of many other far more horrific things happening in information security today, this exposure to Zales customer data is a small potato. And this kind of data exposure is incredibly common today: KrebsOnSecurity could probably run a story every day for several months, just based on examples I’ve seen in dozens of other places online.
But I think one of the biggest reasons we keep seeing businesses making these easily preventable mistakes with their customer data is that there are hardly ever real consequences for organizations that aren’t paying more attention. Meanwhile, their customers’ data can be retrieved freely by anyone or anything who cares about looking for them.
“As a web developer, the only thing I can attribute this to is complete incompetence and being very lazy and indifferent to your customers’ data,†Sheehy said. “It’s nothing new, it’s basic website security. “