Express Exposes Customer Data Due to Website Flaw
Severity: Medium (Score: 48.9)
Sources: Scworld, Techcrunch
Summary
Fashion retailer Express has fixed a security vulnerability on its website that exposed sensitive customer data, including names, email addresses, and partial payment card information. The flaw allowed unauthorized access to order confirmation pages, revealing details of at least a dozen customers' orders. Security advocate Rey Bango discovered the issue while investigating a fraudulent purchase and reported it to TechCrunch, which confirmed the vulnerability. Express has since patched the flaw but has not disclosed whether it will notify affected customers or if it has the means to check for unauthorized access. The incident highlights ongoing issues with data exposure due to misconfigurations in web applications. Similar security lapses were reported in December involving other companies. Express is now reviewing the matter but has not provided further details on its security measures. Key Points: • Express fixed a vulnerability exposing customer data on its website. • The flaw allowed access to sensitive information via manipulated order confirmation URLs. • No confirmation on whether affected customers will be notified of the breach.