BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Jared And Kay Jewelers Fix Consumer Data Breach

From: Destry Winant <destry () riskbasedsecurity com>
Date: Mon, 10 Dec 2018 00:47:01 -0600
https://www.pymnts.com/news/security-and-risk/2018/jared-signet-kay-jewelers-data-breach/

Signet Jewelers, the company that owns Jared and Kay Jewelers, has
fixed a massive data breach that allowed anyone to view the order
information of other customers, including a home address and the last
four digits of a purchaser’s credit card, according to a Monday
(December 3)  report.

The problem came to light in the middle of November, when a web
designer in Dallas named Brandon Sheehy bought a pair of earrings for
his girlfriend from Jared online.

Sheehy found out that when he modified the link in the confirmation
email just slightly, and pasted it into a web browser, he could see
another customer’s order. The information clearly showed the
customer’s name, shipping and billing address, phone number, email
address, all items and total amounts, the delivery date, the tracking
link and the last four digits of the customer’s credit card number.

“My first thought was they could track a package of jewelry to
someone’s door and swipe it off their doorstep,” he said. “My second
thought was that someone could call Jared’s customers and pretend to
be Jared, reading the last four digits of the customer’s card and
saying there’d been a problem with the order, and if they could get a
different card for the customer they could run it right away and get
the order out quickly. That would be a pretty convincing scam. Or just
targeted phishing attacks.”

Sheehy contacted Jared’s parent company, Signet Jewelers, to report
the issue and ask that it be resolved, he said, but he could still see
the info for weeks.

Scott Lancaster, the chief information security officer at Signet,
said the company fixed the issue for all future orders, but until
recently didn’t fix the issue for past orders.

“When a customer first brought this matter to our attention in early
November, we fixed it for all new orders going forward,” Lancaster
said. “But we didn’t notice at the time that this applied to all past
orders as well as future orders.”
_______________________________________________
BreachExchange mailing list sponsored by Risk Based Security
BreachExchange () lists riskbasedsecurity com

If you wish to Edit your membership or Unsubscribe you can do so at the following link:
https://lists.riskbasedsecurity.com/listinfo/breachexchange
Previous By Date Next
Previous By Thread Next

Current thread: