If you shop at Saks Fifth Avenue and you’ve ever put your name on a digital waiting list for a product, you may have had your personal information exposed. BuzzFeed was the first to report on March 19, 2017, that customer data was available in plain text on the Saks Fifth Avenue website.
The information for tens of thousands of customers was visible via a specific link on the Saks website where customers could join a wait list for products they were interested in. While payment details were not exposed, it was possible to see email addresses, phone numbers, product codes, and IP addresses. When BuzzFeed contacted Hudson Bay Company, the Canada-based organization that owns Saks Fifth Avenue, the pages containing customer information were taken down.
“We take this matter seriously,” a Hudson Bay Company spokesperson told BuzzFeed News. “We want to reassure our customers that no credit, payment, or password information was ever exposed. The security of our customers is of utmost priority and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller percent.”
While the company seems committed to fixing the problem, there are two main problems. First, saksfifthavenue.com uses a combination of secure and non-secure pages; the non-secure pages leave shoppers vulnerable if they are using the site on an open WiFi connection. How can you tell if a page is secure? You should see “https” at the beginning of the URL, and most web browsers will display a padlock in the address bar to indicate that the website is secure. The second problem is that right now it’s unclear how long customer information was exposed on the Saks website. During that time, anyone—and yes, that includes identity thieves and hackers—could have stolen the data for their own criminal agendas. With plenty of email addresses to choose from, it won’t be surprising if some customers are targeted by multiple phishing or malware scams.
As of now, Hudson Bay Company has not come forward to explain what happened and who was at fault. We may discover this was an accidental internal error, or it may have been hackers testing out some of the unsecured pages to see what they could get away with. Either way, you’ll undoubtedly be hearing more about this retail breach in the weeks and months to come.
Image courtesy of Flickr user Phillip Pessar.