Zales.com Leaked Customer Data, Just Like Sister Firms Jared and Kay Jewelers Did In 2018 (krebsonsecurity.com) 14
An anonymous reader quotes a report from KrebsOnSecurity: In December 2018, bling vendor Signet Jewelers fixed a weakness in their Kay Jewelers and Jared websites that exposed the order information for all of their online customers. This week, Signet subsidiary Zales.com updated its website to remediate a nearly identical customer data exposure. Last week, KrebsOnSecurity heard from a reader who was browsing Zales.com and suddenly found they were looking at someone else's order information on the website, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer's credit card number. The reader noticed that the link for the order information she'd stumbled on included a lengthy numeric combination that -- when altered -- would produce yet another customer's order information. When the reader failed to get an immediate response from Signet, KrebsOnSecurity contacted the company.
In a written response, Signet said, "A concern was brought to our attention by an IT professional. We addressed it swiftly, and upon review we found no misuse or negative impact to any systems or customer data." Their statement continues: "As a business principle we make consumer information protection the highest priority, and proactively initiate independent and industry-leading security testing. As a result, we exceed industry benchmarks on data protection maturity. We always appreciate it when consumers reach out to us with feedback, and have committed to further our efforts on data protection maturity."
When Signet fixed similar weaknesses with its Jared and Kay websites back in 2018, the reader who found and reported that data exposure said his mind quickly turned to the various ways crooks might exploit access to customer order information. "My first thought was they could track a package of jewelry to someone's door and swipe it off their doorstep," said Brandon Sheehy, a Dallas-based Web developer. "My second thought was that someone could call Jared's customers and pretend to be Jared, reading the last four digits of the customer's card and saying there'd been a problem with the order, and if they could get a different card for the customer they could run it right away and get the order out quickly. That would be a pretty convincing scam. Or just targeted phishing attacks."
In a written response, Signet said, "A concern was brought to our attention by an IT professional. We addressed it swiftly, and upon review we found no misuse or negative impact to any systems or customer data." Their statement continues: "As a business principle we make consumer information protection the highest priority, and proactively initiate independent and industry-leading security testing. As a result, we exceed industry benchmarks on data protection maturity. We always appreciate it when consumers reach out to us with feedback, and have committed to further our efforts on data protection maturity."
When Signet fixed similar weaknesses with its Jared and Kay websites back in 2018, the reader who found and reported that data exposure said his mind quickly turned to the various ways crooks might exploit access to customer order information. "My first thought was they could track a package of jewelry to someone's door and swipe it off their doorstep," said Brandon Sheehy, a Dallas-based Web developer. "My second thought was that someone could call Jared's customers and pretend to be Jared, reading the last four digits of the customer's card and saying there'd been a problem with the order, and if they could get a different card for the customer they could run it right away and get the order out quickly. That would be a pretty convincing scam. Or just targeted phishing attacks."
If you want this to stop (Score:3)
Software development and IT needs to be penalized. Exactly like it is in the aero world.
When a plane crashes, someone is held penally accountable for it:
If the design is flawed and the QA officer in charge of liaising with the FAA at the company making the faulty component is found to have signed off on the flawed design, he goes to jail.
If the FAA guy in charge of reviewing said design signed off on the QA documentation, he goes to jail.
If a wrench monkey in an aircraft maintenance outfit signs his name on the maintenance sheet and didn't do the job right, he goes to jail.
This can happen 20 years down the line, even after the person responsible for the crash has long since retired.
Apply that to software engineering and IT administration, and I'll guarantee you three things: software quality will go up in a hurry, IT folks will take security very, VERY seriously and won't accept corner-cutting demands from management anymore, and the salaries in the industry will go up a couple notches.
Re: (Score:3)
If a plane crashes, the FAA knows right away, and starts an investigation to figure out who screwed up. So the fine incentivizes companies not to screw up.
If a web site leaks customer data, any fine incentivizes the company to fix the problem without notifying anyone whose identity was stolen. Fixing the problem after the fact (basically using your own customers as QA) and keeping it quiet may be cheaper than hiring QA engineers to prevent the company from screwing up in the first place.
Basically we need so
Re:If you want this to stop (Score:4, Informative)
Mechanic used wrong size bolts to secure the pilot's windscreen, it blows off, pilot gets sucked out, flash frozen for 30 minutes and survives! amazingly. Mechanic tells the truth and does not get charged with any crime.
That is the mode we need to get into. Absolutely no penalty for screwing up, as long as you follow the specified rules to the letter and tell the absolute truth. Any cover up uncovered will be penalized heavily even if it had no bearing on the accident being investigated.
Re: (Score:2)
Mechanic used wrong size bolts to secure the pilot's windscreen, it blows off, pilot gets sucked out, flash frozen for 30 minutes and survives! amazingly.
Is that a real story?
Re: (Score:2)
If a pilot is sucked out of a window, there is no way to cover that up.
When a website leaks data, it is estimated that it is publicly reported less than 10% of the time. Even the site maintainers are often unaware that they have been hacked.
Re: (Score:2)
How about their jobs though, can the airline still fire them or otherwise sanction them?
Re: (Score:2)
FAA and NTSB used to be focused on preventing the next disaster, not penalizing the perps of current disaster.
They used to be so good. A Detroit crash that killed all but one 4 year old was basically because the pilots did not extend the flaps. Three different check lists cover that. And there is a plane not configured to take off claxon too. They systematically tracked and found out exactly why it was missed. Basicall
Re: (Score:2)
I want this to happen, but:
and the salaries in the industry will go up a couple notches.
This is why it won't happen.
Re: (Score:2)
If the FAA guy in charge of reviewing said design signed off on the QA documentation, he goes to jail.
Citation needed. Please provide an example of an FAA employee going to jail for incompetence.
When people start going to jail for incompetence, we are going to need a lot more jails.
Whenever I see "Jared" (Score:2)
First thing I think about was the old Freeverse Mac app "Jared, the Butcher of Song".
https://youtu.be/-dqxfNHTcbE [youtu.be]
I guess you could refer to the company as "Jared, the Butcher of Data".
Is the hacker in jail yet? (Score:5, Insightful)
They leave their front door wide open. A friendly neighbor, mowing his own lawn notices and sends an SMS, "Larry, you left your main door open. Again!"
Larry calls police and accuses the neighbor of attempted burglary!
The reader took the mumbo jumbo thingie called URL, hacked it and created a new mumbo jumbo URL that allowed them to access some other customers' data! Isn't that hacking? Barbara, sweetie, Call legal and see if we can make it hacking and absolve ourselves of all responsibility. Ask Berkowicz to call one of the senators we bought to get FBI to accept a criminal complaint. Asok, Crystal and Jacbo, wrap this thing up before 3PM. My tee time is 4PM and traffic is murder after 3:10
Wrong Word (Score:2)
In the first paragraph, the word "remediate" means what you do if mediation fails and you try it again. The correct word is "remedy".
The article might have been written by a teacher. Teachers trying to appear professional often use "remediate" as a jargon for "remedy". When I was a school board member and a teacher in our schools would give a presentation and use "remediate" instead of "remedy", I would cringe. However, I would remain silent in order not to embarrass the teacher.