In December 2018, bling vendor Signet JewelersFixed a weakness in theirKay Jewelers JaredWebsites that made it easy for customers to order online had their order information exposed. Signet subsidiary Zales.comIt updated its website in an attempt to fix a similar customer data breach.
Last week, KrebsOnSecurity heard from a reader who was browsing Zales.com and suddenly found they were looking at someone else’s order information on the website, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer’s credit card number.
The reader noticed that the link for the order information she’d stumbled on included a lengthy numeric combination that — when altered — would produce yet another customer’s order information.
KrebsOnSecurity contacted Signet when the reader didn’t receive an immediate reply. Signet replied in writing. “A concern was brought to our attention by an IT professional. We addressed it swiftly, and upon review we found no misuse or negative impact to any systems or customer data.”
Their statement continues:
“As a business principle we make consumer information protection the highest priority, and proactively initiate independent and industry-leading security testing. As a result, we exceed industry benchmarks on data protection maturity. We always appreciate it when consumers reach out to us with feedback, and have committed to further our efforts on data protection maturity.”
Signet corrected similar weaknesses on its Jared and Kay websites in 2018, but the reader who reported that data exposure quickly realized that there were other ways for hackers to gain access to customer order information.
“My first thought was they could track a package of jewelry to someone’s door and swipe it off their doorstep,” Brandon Sheehy, a Dallas-based Web developer. “My second thought was that someone could call Jared’s customers and pretend to be Jared, reading the last four digits of the customer’s card and saying there’d been a problem with the order, and if they could get a different card for the customer they could run it right away and get the order out quickly. That would be a pretty convincing scam. Or just targeted phishing attacks.”
This Zales customer data vulnerability is minor in comparison to the many other, much worse, things happening in information security right this moment. And this type of data exposure is unbelievably common today: KrebsOnSecurity could probably run one story each day for several months just based on examples I’ve seen at dozens of other places online.
However, I believe that one of the reasons we continue to see companies making these easily avoidable mistakes when it comes to customer data is that there are rarely any real consequences for companies that fail to take greater care. Meanwhile, their customers’ data is free to be hoovered up by anyone or anything that cares to look for it.
“Being a Web developer, the only thing I can chalk this up to is complete incompetence, and being very lazy and indifferent to your customers’ data,”Sheehy said. “This isn’t novel stuff, it’s basic Web site security.”