SoylentNews
SoylentNews is people
https://soylentnews.org/

Title    Jared, Kay Jewelers Parent Fixes Data Leak — Krebs on Security
Date    Tuesday December 04 2018, @08:37AM
Author    martyb
Topic   
from the face-palm dept.
https://soylentnews.org/article.pl?sid=18/12/04/0512258

upstart writes in with a submission, via IRC, for SoyCow1984:

Jared, Kay Jewelers Parent Fixes Data Leak:

In mid-November 2018, KrebsOnSecurity heard from a Jared customer who found something curious after receiving a receipt via email for a pair of earrings he’d just purchased as a surprise gift for his girlfriend.

Dallas-based Web designer Brandon Sheehy discovered that slightly modifying the link in the confirmation email he received and pasting that into a Web browser revealed another customer’s order, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer’s credit card number.

[...] Concerned that his own information was similarly exposed, Sheehy contacted Jared parent company Signet Jewelers and asked them to fix the data exposure. When several weeks passed and Sheehy could still view his information and that of other Jared customers, he reached out to KrebsOnSecurity.

Scott Lancaster, chief information security officer at Signet, said the company did fix the problem for all future orders shortly after receiving a customer’s complaint. But Lancaster said Signet neglected to remedy the data exposure for all past orders until contacted by KrebsOnSecurity.

“When a customer first brought this matter to our attention in early November, we fixed it for all new orders going forward,” Lancaster said. “But we didn’t notice at the time that this applied to all past orders as well as future orders.”

Lancaster said the problem affected only orders made online through jared.com and kay.com, and that the weakness was not present on the sites of the company’s other jewelry brands, such as Zales and Piercing Pagoda.

[...] “Being a Web developer, the only thing I can chalk this up to is complete incompetence, and being very lazy and indifferent to your customers’ data,” he said. “This isn’t novel stuff, it’s basic Web site security.”

Original Submission

Links
  1. "upstart" - https://soylentnews.org/~upstart/
  2. "Jared, Kay Jewelers Parent Fixes Data Leak" - https://krebsonsecurity.com/2018/12/jared-kay-jewelers-parent-fixes-data-leak/
  3. "Signet Jewelers" - https://en.wikipedia.org/wiki/Signet_Jewelers
  4. "Scott Lancaster" - https://www.linkedin.com/in/scott-lancaster-cism-6788461/
  5. "Original Submission" - https://soylentnews.org/submit.pl?op=viewsub&subid=30441
© Copyright 2024 - SoylentNews, All Rights Reserved

printed from SoylentNews, Jared, Kay Jewelers Parent Fixes Data Leak — Krebs on Security on 2024-04-25 11:12:40