Fashion giant Express has patched its website to fix a security flaw that allowed anyone to view other people’s order details and personal information, TechCrunch has exclusively learned. At least a dozen of Express’ customer orders had been publicly listed in web search engine results.
The security flaw exposed order confirmation pages on Express’ online store, revealing details of purchases and who made them.
The exposed information contained customer names, phone numbers and email addresses; postal, billing, and delivery addresses; order details, including the items that a customer purchased; and partial payment card information, including the card type and the last four-digits.
Express is a large clothing retailer with hundreds of stores across the United States, Mexico and Latin America. The once-publicly listed company is now run by WHP Global, which also owns several fashion and retail giants.
Rey Bango, a security and privacy advocate, accidentally discovered the flaw after investigating a fraudulent purchase on a family member’s account, but found no way to report the flaw to Express. Bango asked TechCrunch to alert the company in an effort to get the bug fixed.
“When I tried to look up if the order number was a legitimately formatted Express order number using Google, I saw a link to another order and someone else’s order information came up!” Bango told TechCrunch.
TechCrunch verified that one could tweak the order confirmation webpage address to view the order and personal information of other customers. Express uses order numbers that are largely sequential, which makes it easy to potentially cycle through thousands of orders by changing the order number in the web address using automated web tools.
After we contacted Express, the apparel giant fixed the flaw on Wednesday, but would not say if it plans to notify customers of the security lapse.
When reached for comment, Express’ head of marketing Joe Berean told TechCrunch: “We take the security and privacy of customer information seriously and encourage anyone who identifies a potential security concern to contact us directly.”
“Upon becoming aware of this issue, we investigated and continue to review the matter and have no further comment at this time,” said Berean.
Berean would not say how customers could contact the company, nor detail if the company has plans to update its website to receive reports of security flaws, such as a vulnerability disclosure program. He did not say if the company had the technical means, such as logs, to check if anyone had accessed the personal information of other customers.
The executive did not respond to follow-up questions, including if Express planned to disclose the incident to state attorneys general as required by U.S. data breach notification laws.
Express’ security lapse is the latest incident in recent months where customers’ information was left exposed to the internet due to misconfigurations or inadvertent security lapses.
In December, a security researcher found that Home Depot had exposed its internal systems for a year, but struggled to alert the company to the incident. In the same month, veterinary and pet wellness giant Petco took down its website after TechCrunch found the company’s Vetco Clinics site was spilling customers’ personal information and their pets’ medical documents.
