In December 2018, bling vendor Signet Jewelers fixed a weakness in their Kay Jewelers and Jared websites that exposed the order information for all of their online customers. This week, Signet subsidiary Zales.com updated its website to remediate a nearly identical customer data exposure.
Last week, KrebsOnSecurity heard from a reader who was browsing Zales.com and suddenly found they were looking at someone else’s order information on the website, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer’s credit card number.
The reader noticed that the link for the order information she’d stumbled on included a lengthy numeric combination that — when altered — would produce yet another customer’s order information.
When the reader failed to get an immediate response from Signet, KrebsOnSecurity contacted the company. In a written response, Signet said, “A concern was brought to our attention by an IT professional. We addressed it swiftly, and upon review we found no misuse or negative impact to any systems or customer data.”
Their statement continues:
“As a business principle we make consumer information protection the highest priority, and proactively initiate independent and industry-leading security testing. As a result, we exceed industry benchmarks on data protection maturity. We always appreciate it when consumers reach out to us with feedback, and have committed to further our efforts on data protection maturity.”
When Signet fixed similar weaknesses with its Jared and Kay websites back in 2018, the reader who found and reported that data exposure said his mind quickly turned to the various ways crooks might exploit access to customer order information.
“My first thought was they could track a package of jewelry to someone’s door and swipe it off their doorstep,” said Brandon Sheehy, a Dallas-based Web developer. “My second thought was that someone could call Jared’s customers and pretend to be Jared, reading the last four digits of the customer’s card and saying there’d been a problem with the order, and if they could get a different card for the customer they could run it right away and get the order out quickly. That would be a pretty convincing scam. Or just targeted phishing attacks.”
In the grand scheme of many other, far more horrible things going on in information security right now, this Zales customer data exposure is small potatoes. And this type of data exposure is unbelievably common today: KrebsOnSecurity could probably run one story each day for several months just based on examples I’ve seen at dozens of other places online.
But I do think one key reason we continue to see companies make these easily avoidable mistakes with their customer data is that there are hardly ever any real consequences for organizations that fail to take more care. Meanwhile, their customers’ data is free to be hoovered up by anyone or anything that cares to look for it.
“Being a Web developer, the only thing I can chalk this up to is complete incompetence, and being very lazy and indifferent to your customers’ data,” Sheehy said. “This isn’t novel stuff, it’s basic Web site security.”
I’m struggling to reconcile “As a business principle we make consumer information protection the highest priority, and proactively initiate independent and industry-leading security testing” with using Insecure Direct Object References, which has been one of the OWASP Top 10 issues for most (if not all) of the time OWASP has existed.
Perhaps they should ask whoever provides the “industry-leading security testing” to explain how they missed that little detail?
Brian, many thanks for your hard work and excellent reporting, you are performing a service that benefits every honest internet user, and we all owe you for it.
Seems to me our laws are always playing ‘catch up’. For years now, companies don’t need to do much more than publish inane statements like “we take the safety and privacy of our customer data seriously” – and they get away with impunity when their systems get hacked – oftentimes from sheer sloppy security practices! When will our laws catch up to finally make companies pay?
Four thousand years ago… when city-living was still a new thing… the Code of Hammurabi (Babylon) read thus: “If a builder builds a house for a man and does not make its construction firm, and the house which he has built collapses and causes the death of the owner of the house, that builder shall be put to death.” Harsh… but makes me wonder if that law was also the result of years and years of pent-up anger?
Signet’s statement is probably the puffiest piece of puffery I’ve read in along time. Maybe they have a puffbot.
Wouldn’t one think that Zales, a subsidiary of Signet, would take the appropriate action to ensure their site didn’t have the same flaw? The other breach was in late 2018, almost three years ago. Don’t the IT groups ever talk to one another?
My easy answer would be that the three companies were acquired separately and their POS systems were never merged or made compatible with one another. It probably would cost a small fortune to merge them (too much money and time). Then you would end up with the worst of each system.
It’s interesting that these three companies are under the same umbrella organization.
Why didn’t Zales fix their site in late 2018 when the other two companies were breached?
Don’t the IT groups ever talk to each other? My guess is that these companies were acquisitions and making the systems compatible turned out to be a bigger (more money) chore than originally thought.
Smacks of a CTO that didn’t know what to do or how to convince the CEO and CFO to make the investments to upgrade based on their own experience (let alone industry best practices).
It’s especially rich that “security is our top priority” blah blah is trotted out when their own experience shows security is merely a reactive afterthought.
This is dirt common in both cases? The norm for SMB.
“But I do think one key reason we continue to see companies make these easily avoidable mistakes with their customer data is that there are hardly ever any real consequences for organizations that fail to take more care.”
Geez, a corporate CEO not taking responsibility for wrongdoing and or/negligence and landing the the can?
This is America! Where do you think we’re living?
/sarcasm
Until the CEO CFO and CTO of companies are penalized for such amateur long known “HTML as an address book” bad practices, and the c-suites of parent companies are not levied an extra penalty for not uniformly updating all their subsidiary sites after such a breach, nothing will change.
Cc: US Congress, this is not a new issue, why you slacking at getting some common sense legislation out there to put HTML phone books in the grave? I suggest those with IT backgrounds like Rep Ted Lieu of CA and consumer financial protection backgrounds like Sen Elizabeth Warren get together to craft some robust legislation* that will close these weaknesses.
*And while at it add language that will (aggressive timeline suggested as none of these supplanting technologies are new and it is only investment holding back the transition):
a) within 1 year, eliminate the credit card mag strip and at minimum replace with a chip feature (with an additional contactless feature optional);
b) within 1-1/2 years, require card networks to stop processing and reject mag strip transactions;
c) within 1 year, require card issuers with a customer using their apps/websites to offer customers “blank” cards without the account number, cvv, etc. (where as with Apple Card, this info is in the app, not on the card ((and instead just show at maximum the holders name and add a toll free number/website address and a card serial number (((itself only good for reporting it lost or stolen))) )) );
d) within 2 years require states and the federal government to implement digital IDs, enhanced DLs and passports;
e) within 3 years replace all chip cards and chip terminals with contactless NFC cards and terminals only (including gas pumps and ATM’s) to allow digitally oriented users to shed physical cards (or at least keep their card at home) and digital laggards to pay/authenticate by physical card NFC means only.
There is so much low hanging security /convenience fruit to go after. If legislation puts requirements and timing pressure on the payments industry, this transition off legacy systems to proven modern analogues could actually finally happen.
I suspect that they did not have the necessary information in logs to actually determine whether this flaw had been exploited, or if they did to what extent and which customers. The proper statement would be “An unknown number of customers’ information may have been accessed while this security flaw existed.” Assume the worst, all accessible customer data was scraped. The truth is somewhere in between none of the data and all of the data.
There is a good chance as well that they retain this information indefinitely. The sales and marketing team wants it that way, only previous customers can become repeat customers. Just because a customer’s last order was over 15 years ago does not mean their data was safe, although maybe a less complete record due to system enhancements over that time. I know I receive spam because companies I have dealt with in the past saw fit to keep the data even though I “closed” my account. I have a habit of seeding data, and the haveibeenpwned website lists my info as part of a data breach which occurred years after I closed my account for multiple breaches. It is not paranoia if they are misusing your information.
What happened to good old fashioned user acceptance testing? I would think having some of their people go through the process of buying bling from the website would have uncovered this flaw. At least, if they had good testers.
Explain.
How does this happen? Could someone explain how this could not be caught by developers?
Um it’s because devs aren’t normally incentivized to pay attention to security. If the app works and its performance is acceptable, their job is considered done.
Investment firms are heavily focused on ESG these days. The “G” part (governance) can certainly use metrics such as sloppy security and privacy standards as inputs. This can hit coporate miscreants right where it hurts – their share price.
Usually when it comes down to this it’s not so much that the guys developing it don’t know these kind of flaws exist, it’s that management makes them go from development to production without even the vaguest grasp that security needs to be, y’know, implemented in production.
So the guys who got stuck implementing this fix get ragged on for having to fix a setup management approved years ago, meanwhile the manager(s) who rushed development to production “under budget” were promoted and will receive absolutely no consequences for their incompetence.