Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Fashion giant Express has installed its website to fix a security flaw that allowed anyone to view other people’s order details and personal information, TechCrunch has learned exclusively. About a dozen Express customer orders were listed publicly in the search results.
A security breach exposed order confirmation pages on the Express online store, revealing information about purchases and who made them.
The disclosed information included customer names, phone numbers and email addresses; postal, billing, and shipping addresses; order details, including the products the customer has purchased; and payment card information, including card type and last four digits.
Express is a large clothing retailer with hundreds of stores in the United States, Mexico and Latin America. The once publicly listed company is now controlled by WHP Global, which also owns several fashion and retail giants.
Rey Bango, a security and privacy representative, discovered the error by accident after investigating fraudulent purchases on a family member’s account, but had no way to report the problem to Express. Bango asked TechCrunch to alert the company to fix the bug.
“When I tried to check if the order number was a valid Express order number using Google, I saw a link to another order and someone else’s order notification came up!” Bango told TechCrunch.
TechCrunch confirmed that one can change the website’s verification address to view the plan and information of other customers. Express uses highly sequential order numbers, making it easy to cycle through thousands of products by changing the order number to an online address using online tools.
When contacted by Express, the clothing giant fixed the bug on Wednesday, but would not say whether it intended to notify customers of the security breach.
Reached for comment, Express chief marketing officer Joe Berean told TechCrunch: “We take security and customer privacy very seriously and encourage anyone with security concerns to contact us directly.”
“When we learned about the matter, we investigated and continued to review it and at this time we have nothing to say,” said Berean.
Mr. Berean would not say how customers can contact the company, nor would he detail whether the company has plans to update its website to receive bug reports, such as a vulnerability disclosure program. He did not say whether the company has technical measures, such as logs, to investigate whether someone has obtained information about other customers.
The executive did not respond to follow-up questions, including whether Express plans to disclose the incident to federal attorneys general under US data breach laws.
The Express security breach is the latest incident in recent months where customer information has been left online due to inadvertent or inadvertent security breaches.
In December, a security researcher discovered that Home Depot had it he revealed his inner workings for a yearbut he struggled to inform the company about the incident. In the same month, pet food giant Petco took down its website after TechCrunch acquired the company. The Vetco Clinics website was leaking customer information and medical records of their pets.
