Fashion retailer Express left customers’ personal data and order details exposed to the internet
Source: TechCrunch
Overview
Fashion giant Express patched a security flaw that allowed anyone to view other customers’ order details and personal information. The issue exposed order confirmation pages, revealing names, phone numbers, email addresses, postal, billing, and delivery addresses, order items, and partial payment‑card data (card type and last four digits). At least a dozen orders were publicly listed in web search results.
Details of the Security Flaw
- The flaw exposed order confirmation webpages on Express’s online store.
- Order numbers are largely sequential, enabling an attacker to iterate through thousands of orders by modifying the order number in the URL.
- Personal data displayed included:
- Customer name, phone number, and email address
- Postal, billing, and delivery addresses
- Items purchased
- Partial payment‑card information (card type and last four digits)
Discovery and Reporting
Rey Bango, a security and privacy advocate, discovered the issue while investigating a fraudulent purchase on a family member’s account. He was unable to find a way to report the flaw directly to Express and asked TechCrunch to alert the company.
“When I tried to look up if the order number was a legitimately formatted Express order number using Google, I saw a link to another order and someone else’s order information came up!” – Rey Bango
TechCrunch verified that tweaking the order‑confirmation URL allowed access to other customers’ data.
Express’ Response
- After being contacted, Express fixed the flaw on Wednesday.
- The company did not confirm whether it will notify affected customers.
Statement from Joe Berean, Express head of marketing:
“We take the security and privacy of customer information seriously and encourage anyone who identifies a potential security concern to contact us directly.”
“Upon becoming aware of this issue, we investigated and continue to review the matter and have no further comment at this time.”
Berean declined to provide details on how customers could report security issues, whether a vulnerability‑disclosure program is planned, or if logs exist to determine whether the exposed data was accessed. He also did not comment on potential notification to state attorneys general as required by U.S. data‑breach laws.
Related Recent Incidents
- Home Depot: In December, a researcher found that Home Depot had exposed its internal systems for a year. Read more
- Petco: The same month, TechCrunch discovered that Petco’s Vetco Clinics site was leaking customers’ personal information and pets’ medical documents, leading to the site’s takedown. Read more