Fashion giant Express has resolved a security issue on its website that exposed customer order details and personal information, TechCrunch learned. Over a dozen Express customer orders appeared in search engine results due to this flaw.
The vulnerability allowed access to order confirmation pages on Express’ site, showing details of purchases and customer information.
Exposed data included customer names, phone numbers, email addresses, postal and billing addresses, order details, and partial payment card information.
Express, a major clothing retailer in the U.S., Mexico, and Latin America, is now operated by WHP Global. The flaw was discovered by Rey Bango, a security advocate, who found no means to report it directly to Express. Bango involved TechCrunch to alert the company.
Bango explained to TechCrunch that a simple Google search for an order number inadvertently exposed another person’s order details.
TechCrunch confirmed that adjusting the order confirmation page address could reveal other customers’ information, due to largely sequential order numbers.
Post-contact, Express patched the flaw but hasn’t confirmed plans to inform affected customers.
Joe Berean, Express’ head of marketing, emphasized their commitment to customer data security and encouraged potential security concerns to be sent directly to them. Berean mentioned ongoing investigations but provided no further comment.
Berean did not clarify the customer contact process nor confirm any plans for a vulnerability disclosure system. It’s unclear if Express can verify access to the exposed data through logs.
He also didn’t respond to inquiries about informing state attorneys general as per U.S. data breach notification requirements.
This security issue is a recent example of customer data exposure due to misconfigured systems. In December, Home Depot reportedly exposed internal systems for a year, and Petco’s Vetco Clinics site leaked customer personal and pet medical information.