Express Fixes Security Flaw Exposing Customer Data
Fashion retailer Express has patched a critical security vulnerability on its website that inadvertently exposed customers' personal information and order details to the public internet. The flaw, discovered by security advocate Rey Bango, allowed anyone to view sensitive data by manipulating sequential order numbers in the URL. Exposed information included customer names, phone numbers, email addresses, physical addresses, purchase details, and partial payment card information. At least a dozen orders were indexed by search engines before the issue was addressed. TechCrunch alerted Express to the breach, prompting the company to fix the bug. However, Express declined to confirm whether it plans to notify affected customers or disclose the incident to state authorities as required by U.S. data breach laws. The company also failed to provide clear channels for reporting future security concerns. This incident highlights ongoing cybersecurity challenges in the retail sector, following similar data exposure events at major retailers like Home Depot and Petco in recent months.
Wire timeline
Express Fixes Security Flaw Exposing Customer Data
Fashion retailer Express has patched a critical security vulnerability on its website that inadvertently exposed customers' personal information and order details to the public internet. The flaw, discovered by security advocate Rey Bango, allowed anyone to view sensitive data by manipulating sequential order numbers in the URL. Exposed information included customer names, phone numbers, email addresses, physical addresses, purchase details, and partial payment card information. At least a dozen orders were indexed by search engines before the issue was addressed. TechCrunch alerted Express to the breach, prompting the company to fix the bug. However, Express declined to confirm whether it plans to notify affected customers or disclose the incident to state authorities as required by U.S. data breach laws. The company also failed to provide clear channels for reporting future security concerns. This incident highlights ongoing cybersecurity challenges in the retail sector, following similar data exposure events at major retailers like Home Depot and Petco in recent months.
TechCrunch