A big majority of fashion brands are still storing client data in plain text.
In a mind numbing incident, BuzzFeed News discovered that a significant number of major fashion stores are storing the personal information of tens of thousands of its customers in plain text on their servers, which makes job of hackers frighteningly simple: they don’t even have to lift a finger to access all of that valuable data.
Thankfully these major fashion stores, which includes Lord & Taylor, Saks Fifth Avenue and Gilt haven’t stored financial data in plain text.
They have nevertheless stored email addresses, internet addresses, phone numbers and product IDs of their clients in plain text, thus allowing any malicious visitor on their sites to scoop up the data to commit identity fraud, or even scam a customer.
After BuzzFeed’s report got out, Hudson’s Bay Company (HBC) has taken down the info as it finds a solution to the problem. It has disclosed that there have been a couple of instances wherein “some email addresses” were affected.
Although HBC maintains that it follows “industry best practices” vis-à-vis internet security, the reality of the situation is inconsistent with its statement since just about anyone who chooses to snoop around its web code can find private customer data in it.
While most sites protect certain pages, including the login page, they however do not do so with others, thus allowing those on the same local area network to sniff around and grab unencrypted traffic which could be potentially used to compromise an account.
Although currently there is no evidence to suggest that someone has made use of the data before it was taken down, nevertheless the discovery of storing confidential client data in plain text is certainly not very reassuring.
The discovery is a pointer to the fact that online stores are continuing to make basic security mistakes at a time when even a limited exposure of data lead to serious consequences. All it takes is a nosy intruder.