Luxury retailer Saks Fifth Avenue reportedly left the personal information of tens of thousands of its customers exposed in plain text on its online shopping site. BuzzFeed News reports that customers' e-mail addresses and phone numbers were, up until recently, visible on Saks' retail website "in plain text online".
The Saks website is maintained by the digital division of Hudson's Bay Company, its parent company and owner of multiple department store chains such as Lord & Taylor and Gilt.
The unencrypted, publicly accessible web pages reviewed by BuzzFeed reportedly exposed the personal data of Saks customers who joined a wait-list for certain products. They also apparently displayed the product codes for the items the customers were looking to purchase.
One page reviewed by the publication reportedly included a number of Gmail, Hotmail and AOL email addresses as well as work email accounts from JPMorgan, Charter Communications and government addresses. The pages were later taken down by HBC.
"We take this matter seriously," a Hudson's Bay Company spokesperson told BuzzFeed News. "We want to reassure our customers that no credit, payment, or password information was ever exposed. The security of our customers is of utmost priority and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses.
"We have resolved any issue related to customer phone numbers, which was an even smaller percent."
The Canadian company also emphasised that it does have "teams dedicated to the security of our customers' data and follow industry best practices for information security".
According to BuzzFeed, the website also served up some pages over unencrypted connections to logged in Saks customers, potentially leaving their data vulnerable for hackers to digitally exploit.
The site also contains a number of secure and non-secure pages. Its homepage, for example, shows a small notification in the website bar that notes the connection is not secure and warns shoppers not to enter any personal information such as passwords or credit card data on the site.
"This is as bad as security gets," cybersecurity expert Robert Graham told BuzzFeed News. "Everyone is vulnerable." He added that the site's combination of secure and non-secure pages can leave a shopper browsing the site on an open WiFi connection vulnerable to hackers.
"The solution is for every webpage to be encrypted, not just the login," he said. "They should all be https links."