Dear ABC News Fixer: Sensitive Info Revealed on Totsy.com?

[Erica Absetz <erica () riskbasedsecurity com>]

http://abcnews.go.com/Blotter/dear-abc-news-fixer-sensitive-info-revealed-totsycom/story?id=19682582

Dear ABC News Fixer: I was using the mobile version of Totsy.com to do
some shopping when I discovered what seems to be a security breach.

I added three items to my cart. After the third item, the page
refreshed and brought up another user's account information.

I immediately called Totsy. The first representative barely reacted.
She told me she would "elevate my call to the IT department." She put
me on hold for four minutes, then hung up.

I called again, and a second rep declined to notify the third party
whose sensitive information I had unwittingly become privy to. I asked
to speak to a supervisor, and the rep informed me that her supervisor
went home early. Once again, I was told my call would be elevated to
the IT department -- but this time, the employee didn't even bother to
put me on hold. She just hung up on me.

I ended up losing my transaction because I took the time to call about
the security breach. They said no items were in my cart and they
couldn't help me process an order unless I had items. Well, I did have
them -- until I got rerouted to another user's account!

So not only did I lose my order, Totsy doesn't care that they are
giving me access to sensitive third party information. Please help me
resolve this.

- Mara Mason, Phoenix, Ariz.

Dear Mara: You told us that when you shopped on this "flash sale" site
for fancy kids' products, another customer's name, email address and
part of their credit card number popped up. You said the same thing
happened one more time shortly after you wrote this letter. And then
there were the seemingly phone-challenged customer service reps.

It turns out that around the same time, Totsy was getting tipsy, in a
financial sense. First, it filed notice with the State of New York in
May that it would need to lay off all 83 of its employees for
"economic" reasons. In June, the business was purchased by
Modnique.com.

We reached out to Modnique with your concerns, and Ivka Adam, VP of
marketing, said the privacy breach you encountered won't happen again
because Modnique uses a different platform. She said that as part of
the acquisition, Modnique got Totsy's customer files but no credit
card information or actual passwords.

Adam is giving you a $20 store credit to use on the site, to make up
for your emptied shopping cart at Totsy.

As for other former Totsy customers, Adam said Modnique will honor all
store credits and Totsy returns.

- The ABC News Fixer
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.