Luxury retailer Saks Fifth Avenue has inadvertently exposed the personal details of tens of thousands of customers online.
According to a report by media company BuzzFeed, customers’ details were, “up until recently, publicly available in plain text.”
The incident affected online shoppers who had provided their email addresses and/or phone numbers to join a waitlist to purchase certain products, said BuzzFeed.
The unencrypted web pages containing the customer records were taken offline after Saks’ parent company, Hudson’s Bay Co. (HBC), was contacted for comments.
Canada-based HBC, who maintains the brand’s website, responded with the following statement:
“We take this matter seriously. We want to reassure our customers that no credit, payment, or password information was ever exposed,” the spokesperson told BuzzFeed.
“The security of our customers is of utmost priority and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses.”
The company noted it had also resolved the issue related to customer phone numbers, which was “an even smaller percent.”
Tim Erlin, VP of Product Management and Strategy at Tripwire, said that it is too early to tell how severe the retailer’s disclosure of sensitive information will turn out to be.
However, he added that consumers should always be concerned when their personal data is not properly safeguarded.
“The cardinal rule is after an initial report of a breach of some kind, you will always learn more later,” Erlin told USA Today.
Erlin warned that cyber thieves can use e-mail lists and phone numbers to inflict financial damage on unsuspecting victims, including identity theft. “A collection of valid e-mails is in effect a target list of phishing campaigns,” he said.