Its time that companies start getting in trouble for leaking data.
Its probably no surprise that we’re continuing to see stories like this, but this time, Zales.com Leaked Customer Data, Just Like Sister Firms Jared, Kay Jewelers Did in 2018 from Krebs on Security is out with details.
Let me know if these paragraphs sound familiar.
In December 2018, bling vendor Signet Jewelers fixed a weakness in their Kay Jewelers and Jared websites that exposed the order information for all of their online customers. This week, Signet subsidiary Zales.com updated its website to remediate a nearly identical customer data exposure.
Last week, KrebsOnSecurity heard from a reader who was browsing Zales.com and suddenly found they were looking at someone else’s order information on the website, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer’s credit card number.
The reader noticed that the link for the order information she’d stumbled on included a lengthy numeric combination that — when altered — would produce yet another customer’s order information.
The company has the following quote within this article. It says:
“As a business principle we make consumer information protection the highest priority, and proactively initiate independent and industry-leading security testing. As a result, we exceed industry benchmarks on data protection maturity. We always appreciate it when consumers reach out to us with feedback, and have committed to further our efforts on data protection maturity.”
If you have industry standards, than why do you have another case of mismanagement of personally identifiable data leaking on the Internet for all to see?
While the issue may be fixed now, this isn’t the first, and the article rightly says this is miniscule to today’s problems we now have to face, but it is still reality.
I do know that I would do everything in my efforts to make sure that this type of thing would not happen.
This includes using payment processors like Stripe and billing software if appropriate like Freshbooks to do my workflows and billing.
If I couldn’t use Freshbooks because I sold product and it would be easier to bill the customer, I’d definitely use Stripe as buttons to buy and collect data is handled by them, and not by me.
There are probably other solutions that I am not aware of, and each company is going to be unique to this problem. The company needs to find the best solution for them.
What do you think dear readers? Let’s discuss.
But I do think one key reason we continue to see companies make these easily avoidable mistakes with their customer data is that there are hardly ever any real consequences for organizations that fail to take more care. Meanwhile, their customers’ data is free to be hoovered up by anyone or anything that cares to look for it or index it.
“Being a Web developer, the only thing I can chalk this up to is complete incompetence, and being very lazy and indifferent to your customers’ data,” Sheehy said. “This isn’t novel stuff, it’s basic Web site security.”
Take those last two paragraphs to heart, and make it a great day!
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.