Dumb security mistakes on online shops enabled hackers to recently claim more victims in the fashion retail sector, including luxury department store Saks Fifth Avenue, Gilt and Lord & Taylor, according to BuzzFeed News.
Personal data of “tens of thousands” of Saks Fifth Avenue customers was publicly exposed online due to weak encryption and because the company kept it in plain text on their servers. It seems the company had no overall encryption and security strategy, but chose to encrypt only certain pages, making it easy for an intruder in the local network to steal unencrypted information.
The company said no payment data was exposed, but only email addresses, product codes for items customers wanted to buy, IPs and some phone numbers. Some email addresses and phone numbers were associated with work accounts of JP Morgan employees and government staff.
After the owner of Saks Fifth Avenue, Canadian Hudson’s Bay Company, was informed about the breach, the corrupt pages were taken offline. The company later said “some email addresses” were exposed.
“We take this matter seriously,” a Hudson Bay Company spokesperson told BuzzFeed News. “We want to reassure our customers that no credit, payment, or password information was ever exposed. The security of our customers is of utmost priority and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller percent.”