Tens of thousands of Saks Fifth Avenue shoppers had their personal information compromised and made publicly available online, BuzzFeed News reported.
The retailer’s online website is maintained by Hudson’s Bay Company, which exposed the email addresses, phone numbers and IP addresses of customers, along with the products’ codes of items customers were interested in purchasing.
The information was posted on unencrypted, plain text web pages.
BuzzFeed News reviewed the pages, which were only taken down after the news outlet reached out to Hudson’s Bay Company for comment on the report.
“We take this matter seriously,” a Hudson Bay Company spokesperson told BuzzFeed News. “We want to reassure our customers that no credit, payment or password information was ever exposed. The security of our customers is of utmost priority, and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller percent.”
It was also noted that Saks Fifth Avenue’s website also has some pages that are served over unencrypted connections, which leaves the information of shoppers vulnerable to hackers if they are browsing the site on an open Wi-Fi network.
“This is as bad as security gets,” Robert Graham, cybersecurity expert and the owner of Errata Security, told BuzzFeed News. “Everyone is vulnerable.”