Order information for customers of some Signet brands may have been exposed in a leak, KrebsOnSecurity reports.
A customer reported the security weakness to the security-focused publication. The customer, Brandon Sheehy of Dallas, “discovered that slightly modifying the link in the confirmation email he received and pasting that into a Web browser revealed another customer’s order.” That included a variety of personal information, including name, address and last four digits of credit card.
“My first thought was they could track a package of jewelry to someone’s door and swipe it off their doorstep,” Sheehy told KrebsOnSecurity. A variety of other scams might be possible with the information, he surmised.
Sheehy said he contacted Signet, whose brands include Jared, Kay and Zales, about the problem. It was then apparently fixed for all orders going forward, but not for past orders.
Scott Lancaster, chief information security officer or Signet, said the problem has now been fixed for past orders as well.
The issue “affected only orders made online through jared.com and kay.com” and not the company’s other brands, KrebsOnSecurity reports.
Advertisement
Read more at KrebsOnSecurity