Fashion giant Express has patched its website to fix a security flaw that allowed anyone to view other people’s order details and personal information, TechCrunch has learned exclusively. At least a dozen Express customer orders were publicly listed in web search engine results.
The security flaw exposed order confirmation pages on Express’ online store, revealing details of purchases and who made them.
The exposed information included customer names, phone numbers and email addresses. mailing, billing and delivery addresses; order details, including items a customer purchased; and some payment card information, including card type and last four digits.
Express is a major clothing retailer with hundreds of stores in the United States, Mexico and Latin America. The once publicly traded company is now run by WHP Global, which also owns several fashion and retail giants.
Security and privacy advocate Rey Bango accidentally discovered the flaw after investigating a fraudulent purchase on a family member’s account, but found no way to report the flaw to Express. Bango asked TechCrunch to notify the company in an effort to fix the bug.
“When I tried to look up if the order number was a legitimately formatted Express order number via Google, I saw a link to another order and someone else’s order information came up!” Bango told TechCrunch.
TechCrunch has verified that one can modify the address of the order confirmation webpage to view the order and personal information of other customers. Express uses order numbers that are largely sequential, which makes it easy to potentially switch thousands of orders by changing the order number in the web address using automated web tools.
When contacted by Express, the apparel giant fixed the flaw on Wednesday, but did not say whether it plans to notify customers of the security flaw.
When reached for comment, Express chief marketing officer Joe Berean told TechCrunch, “We take the security and privacy of customer information seriously and encourage anyone who identifies a potential security concern to contact us directly.”
“We have just been made aware of this issue, have investigated and are continuing to review the matter and have no further comment at this time,” Berean said.
Berean did not say how customers could contact the company, nor did he specify whether the company plans to update its website to receive reports of security flaws, such as a vulnerability disclosure program. He did not say whether the company had the technical means, such as logs, to check whether someone had accessed the personal information of other customers.
The executive did not respond to follow-up questions, including whether Express planned to disclose the incident to state attorneys general, as required by US data breach notification laws.
The Express security breach is the latest incident in recent months where customer information has been exposed online due to misconfigurations or unintended security lapses.
In December, a security researcher found that Home Depot had been exposing its internal systems for a year, but tried to alert the company to the incident. That same month, veterinary and pet wellness giant Petco took down its website after TechCrunch found that the company’s Vetco Clinics website shared personal customer information and their pets’ medical records.
