Express Retail Website Exposed Customer Orders, Personal Data

A significant security vulnerability on the Express retail website allowed public access to customer orders and personal information, according to an exclusive report. The flaw, now corrected, left confirmation pages for online purchases visible in search engine results, revealing at least a dozen customer transactions.

The exposed data included full names, phone numbers, email and physical addresses, specific purchased items, and partial payment card details. Security advocate Rey Bango discovered the issue while investigating a suspicious charge on a relative's account. A simple Google search returned a link to another customer's complete order information.

TechCrunch confirmed the vulnerability. Because Express uses largely sequential order numbers, adjusting the digits in a webpage address could reveal thousands of individual orders. Bango, finding no clear method to report the problem to the company, contacted TechCrunch to facilitate a fix.

Express addressed the flaw after being notified. The company's head of marketing, Joe Berean, stated they take security seriously and encourage direct contact about potential concerns. However, he declined to comment on whether affected customers would be notified, if the company maintains logs to determine who accessed the data, or if it plans to establish a formal process for reporting security issues. Berean did not address compliance with data breach notification laws.

This incident follows similar exposures at other major retailers, including Home Depot and Petco, highlighting recurring risks from website misconfigurations that inadvertently publish private customer data to the open web.

Source: TechCrunch