Skip to main content

Vistaprint left a customer service database unprotected, exposing calls, chats and emails

A security researcher has found an exposed database on the internet belonging to online printing giant Vistaprint.

Security researcher Oliver Hough discovered the unencrypted database last week. There was no password on the database, allowing anyone to access the data inside. The database was first detected by exposed device and database search engine Shodan on November 5, but it may have been exposed for longer.

Hough tweeted to warn the company of the security lapse, but has not heard back.

Vistaprint, owned by Netherlands-based parent Cimpress, quietly took the database offline after TechCrunch reached out but did not comment by our deadline. Robert Crosland, a spokesperson for Vistaprint, said in a statement after we published that the exposure affected customers in the U.S., the U.K. and Ireland.

“This is unacceptable and should not have happened under any circumstances,” the company said. “We’re currently carrying out a full investigation to understand what happened and how to prevent any future recurrence. At this time, we do not know whether this data has been accessed beyond the security researcher who found it,” the spokesperson said.

The company said it will inform customers of the exposure — many of whom are protected under the strict GDPR data protection rules.

The database contained five tables stored with data on more than 51,000 customer service interactions, such as calls to customer service or chats with an online support agent. The data also included personally identifiable information, including names and contact information, which could identify individual customers.

One table named “cases” contained incoming customer queries, including the customer’s name, email address, phone number, and the date and time of their interaction with customer service. Many of those customer service interactions were as recent as mid-September.

The data also contained information hidden from the customer. Each customer service interaction in the “cases” table appeared to have graded the customer’s query based off keywords picked from their query. That helped to determine the customer’s “sentiment”, which then described their complaint as either “negative” or “neutral”. The data also included the “priority” of a customer’s interaction, allowing it to be pushed higher in the queue.

Another table named “chat” contained thousands of customers’ line-by-line online chat interactions with support agents, but also contained information about the customer’s browser and network connection, where they were located, and what operating system they used, and their internet provider.

Some of the recorded chat logs also contained sensitive information like order numbers and postal tracking numbers, but there were no passwords or financial data in the exposed database.

The “emails” table contained entire email threads with customers detailing problems or other issues with their orders. And, the “phone” table contained specific information about each call, including the date and time, how long the customer was kept on hold, a written transcript of the call — often including details of the customer’s orders — and an internal link (which we could not access) to the recording of the call.

The data also contained some account information, including work email addresses and some phone numbers belonging to Vistaprint customer service staff.

According to Hough, the database was not currently sending or receiving data. The database was named “migration,” suggesting the database was used to temporarily store data while it was moved customer records from one server to another.

But it’s not clear why the database was exposed and left online without a password.

It’s the latest example of a security lapse involving lax internal data controls. This year alone, several data exposures have put millions of customers at risk, including online game ‘Magic: The Gathering”, a popular online ‘camgirl’ site, as well as job searching site Monster.com and IT giant Tech Data.

Updated with a statement from Vistaprint.

Related stories:



from TechCrunch https://ift.tt/37BzvZP
via IFTTT
Labels:

Comments

Post a Comment

Popular posts from this blog

Max Q: Psyche(d)

In this issue: SpaceX launches NASA asteroid mission, news from Relativity Space and more. © 2023 TechCrunch. All rights reserved. For personal use only. from TechCrunch https://ift.tt/h6Kjrde via IFTTT
Post a Comment
Read more

Max Q: Anomalous

Hello and welcome back to Max Q! Last week wasn’t the most successful for spaceflight missions. We’ll get into that a bit more below. In this issue: First up, a botched launch from Virgin Orbit… …followed by one from ABL Space Systems News from Rocket Lab, World View and more Virgin Orbit’s botched launch highlights shaky financial future After Virgin Orbit’s launch failure last Monday, during which the mission experienced an  “anomaly” that prevented the rocket from reaching orbit, I went back over the company’s financials — and things aren’t looking good. For Virgin Orbit, this year has likely been completely turned on its head. The company was aiming for three launches this year, but everything will remain grounded until the cause of the anomaly has been identified and resolved. It’s unclear how long that will take, but likely at least three months. Add this delay to Virgin’s dwindling cash reserves and you have a foundation that’s suddenly much shakier than before. ...
Post a Comment
Read more

What’s Stripe’s deal?

Welcome to  The Interchange ! If you received this in your inbox, thank you for signing up and your vote of confidence. If you’re reading this as a post on our site, sign up  here  so you can receive it directly in the future. Every week, I’ll take a look at the hottest fintech news of the previous week. This will include everything from funding rounds to trends to an analysis of a particular space to hot takes on a particular company or phenomenon. There’s a lot of fintech news out there and it’s my job to stay on top of it — and make sense of it — so you can stay in the know. —  Mary Ann Stripe eyes exit, reportedly tried raising at a lower valuation The big news in fintech this week revolved around payments giant Stripe . On January 26, my Equity Podcast co-host and overall amazingly talented reporter Natasha Mascarenhas and I teamed up to write about how Stripe had set a 12-month deadline for itself to go public, either through a direct listing or by pursuin...
Post a Comment
Read more