Fashion giant Express has patched its website to fix a security flaw that allowed anyone to view other people's order details and personal information, TechCrunch has learned exclusively. At least a dozen Express customer orders were publicly visible in Web search engine results.
The security flaw exposed the order confirmation page of Express's online store, revealing details about purchases and who made them.
The leaked information included customer names, phone numbers, and email addresses. Postal code, billing address, and shipping address. Order details, including the products purchased by the customer. Part of your payment card information, including card type and last four digits.
Express is a leading clothing retailer with hundreds of stores throughout the United States, Mexico, and Latin America. The formerly publicly traded company is now run by WHP Global, which also owns several fashion and retail giants.
Security and privacy advocate Rey Bango discovered the flaw by chance after investigating fraudulent purchases on a family member's account, but couldn't find a way to report the flaw to Express. Bango asked TechCrunch to alert the company to fix the bug.
“When I tried to use Google to find out if the order number was a legitimately formatted Express order number, I saw a link to another order and other people's order information,” Bango told TechCrunch.
TechCrunch has verified that the address on the order confirmation web page can be tweaked to view other customers' orders and personal information. Express uses nearly sequential order numbers, so you could easily cycle through thousands of orders by using automated web tools to change the order number in a web address.
When we contacted Express, the apparel giant fixed the flaw on Wednesday but did not say whether it planned to notify customers of the security lapse.
Reached for comment, Joe Berrian, Express' head of marketing, told TechCrunch: “We take the security and privacy of our customer information seriously and encourage anyone who identifies potential security concerns to contact us directly.”
“We are aware of this matter, have investigated it and continue to review it, but have no further comment at this time,” Berean said.
Berian did not say how customers can contact the company or elaborate on whether the company plans to update its website to receive reports of security flaws, such as through a vulnerability disclosure program. He did not say whether the company has logs or other technical means to see if someone has accessed other customers' personal information.
The executive did not respond to subsequent questions, including whether Express plans to disclose the incident to state attorneys general as required by U.S. data breach notification laws.
The Express security breach is the latest incident in recent months where misconfigurations and inadvertent security breaches have left customer information exposed on the internet.
In December, a security researcher discovered that Home Depot had exposed its internal systems for a year, but had trouble alerting the company to the incident. That same month, veterinary and pet wellness giant Petco shut down its website after TechCrunch discovered that its Vetco clinic site had leaked customers' personal information and pet medical documents.