Skip to content ↓ | Skip to navigation ↓

New Jersey law enforcement has arrested a couple for abusing a vulnerability affecting Lowe’s website in order to steal merchandise.

On 15 August, Ocean County Prosecutor Joseph D. Coronato and Brick Township Police Chief James Riccio announced the arrests of Romela Velazquez, 24, and Kimy Velazquez, 40. Together, the couple allegedly orchestrated a scheme by which they purchased and flipped merchandise from Lowe’s home improvement without actually paying for it.

A press release issued by the Ocean County Prosecutor’s office provides more information into the couple’s purported conspiracy:

“The investigation began after a Lowes Organized Retail Crime Manager brought the case to the attention of Brick Township Police, alleging that Romela Velazquez knowingly and purposely exploited weaknesses in their online website in order to have merchandise shipped to her home in Brick Township without payment. Romela Velazquez then allegedly posted several of the stolen merchandise items to a local Facebook Group ‘Buy and Sell’ page, often listing the items as ‘New In Box’ and for less than half their original price.”

Authorities showed up at the Velazquez residence on 3 August to execute a search warrant. During the course of their on-site investigation, they found several valuable items including a 70” Vizio LED Smart TV, a Stainless Steel Weber Grill, a LG Portable Air Conditioner, and even approximately $2,500 worth of Victoria Secret underwear. Many of these items still had their price tags.

Police have charged Romela with second degree computer criminal activity, second degree theft by deception for attempting to steal $258,068.01 in merchandise, and third degree theft by deception for receiving $12,971.23 without having paid for it. For his part in the scam, her husband Kimy faces charges of third degree receipt of stolen property and third degree fencing. Both are currently free and are awaiting a future court date.

As of this writing, it’s not publicly known how Lowe’s ultimately detected the fraud or what weakness Romela allegedly exploited in order to steal the merchandise. Bleeping Computer’s Catalin Cimpanu writes that flaw affected the site’s gift card module, but no other details are currently available. Romela’s lawyer said her client will fight the charges on the grounds that she doesn’t possess the technical skills necessary to hack Lowe’s website.

The home management company has thus far not publicly confirmed the weakness.

Regardless of whether the flaw actually exists, it’s important that retailers like Lowe’s use this story to review their information security defenses. In particular, they should examine their patch management strategies and make sure their IT teams know the difference between applying a patch and remediating a vulnerability. (Plenty of professionals can’t explain that relationship.)

To strengthen your organization’s patch management strategies, please click here.