Saks Fifth Avenue left customer data exposed to the public
Email addresses and phone numbers were kept in the open.
Sometimes, hackers don't have to lift a finger to swipe valuable shopping data -- it can be sitting right out in the open. BuzzFeed News has found that Saks Fifth Avenue was storing info for tens of thousands of customers in plain text on their servers. There was no payment data, thankfully, but the content revealed email addresses, phone numbers, internet addresses and product IDs. If a malicious visitor wanted to commit identity fraud or scam a customer, they had at least some of what they needed.
The brand's Canadian parent, Hudson's Bay Company, has since taken the info down while it works on a solution, and says that only "some email addresses" were affected. HBC maintains that it follows "industry best practices" for security, but that isn't really the case when anyone snooping around its web code could have found the info. BuzzFeed adds that the sites have an inconsistent approach to web encryption, protecting certain pages (such as the login page) but not others. Someone on the same local network could grab unencrypted web traffic and potentially use it to compromise an account.
While there's currently no evidence to suggest that someone made off with the data before it was taken down, the discovery isn't very reassuring. It suggests that online shops are still making basic security mistakes, and don't always realize that even limited data exposure can be very dangerous. It only takes a nosy intruder to turn a blunder like this into a serious incident.
Update: BuzzFeed has since learned that only Saks was affected, not associated brands like Gilt and Lord & Taylor -- we've updated the article accordingly.
