Skip to main content
https://www.highperformancecpmgate.com/rgeesizw1?key=a9d7b2ab045c91688419e8e18a006621

Vistaprint left a customer service database unprotected, exposing calls, chats and emails

A security researcher has found an exposed database on the internet belonging to online printing giant Vistaprint.

Security researcher Oliver Hough discovered the unencrypted database last week. There was no password on the database, allowing anyone to access the data inside. The database was first detected by exposed device and database search engine Shodan on November 5, but it may have been exposed for longer.

Hough tweeted to warn the company of the security lapse, but has not heard back.

Vistaprint, owned by Netherlands-based parent Cimpress, quietly took the database offline after TechCrunch reached out but did not comment by our deadline. Robert Crosland, a spokesperson for Vistaprint, said in a statement after we published that the exposure affected customers in the U.S., the U.K. and Ireland.

“This is unacceptable and should not have happened under any circumstances,” the company said. “We’re currently carrying out a full investigation to understand what happened and how to prevent any future recurrence. At this time, we do not know whether this data has been accessed beyond the security researcher who found it,” the spokesperson said.

The company said it will inform customers of the exposure — many of whom are protected under the strict GDPR data protection rules.

The database contained five tables stored with data on more than 51,000 customer service interactions, such as calls to customer service or chats with an online support agent. The data also included personally identifiable information, including names and contact information, which could identify individual customers.

One table named “cases” contained incoming customer queries, including the customer’s name, email address, phone number, and the date and time of their interaction with customer service. Many of those customer service interactions were as recent as mid-September.

The data also contained information hidden from the customer. Each customer service interaction in the “cases” table appeared to have graded the customer’s query based off keywords picked from their query. That helped to determine the customer’s “sentiment”, which then described their complaint as either “negative” or “neutral”. The data also included the “priority” of a customer’s interaction, allowing it to be pushed higher in the queue.

Another table named “chat” contained thousands of customers’ line-by-line online chat interactions with support agents, but also contained information about the customer’s browser and network connection, where they were located, and what operating system they used, and their internet provider.

Some of the recorded chat logs also contained sensitive information like order numbers and postal tracking numbers, but there were no passwords or financial data in the exposed database.

The “emails” table contained entire email threads with customers detailing problems or other issues with their orders. And, the “phone” table contained specific information about each call, including the date and time, how long the customer was kept on hold, a written transcript of the call — often including details of the customer’s orders — and an internal link (which we could not access) to the recording of the call.

The data also contained some account information, including work email addresses and some phone numbers belonging to Vistaprint customer service staff.

According to Hough, the database was not currently sending or receiving data. The database was named “migration,” suggesting the database was used to temporarily store data while it was moved customer records from one server to another.

But it’s not clear why the database was exposed and left online without a password.

It’s the latest example of a security lapse involving lax internal data controls. This year alone, several data exposures have put millions of customers at risk, including online game ‘Magic: The Gathering”, a popular online ‘camgirl’ site, as well as job searching site Monster.com and IT giant Tech Data.

Updated with a statement from Vistaprint.

Related stories:

Comments

Post a Comment

Popular posts from this blog

Uber co-founder Garrett Camp steps back from board director role

Uber co-founder Garrett Camp is relinquishing his role as a board director and switching to board observer — where he says he’ll focus on product strategy for the ride hailing giant. Camp made the announcement in a short Medium post in which he writes of his decade at Uber: “I’ve learned a lot, and realized that I’m most helpful when focused on product strategy & design, and this is where I’d like to focus going forward.” “I will continue to work with Dara [Khosrowshahi, Uber CEO] and the product and technology leadership teams to brainstorm new ideas, iterate on plans and designs, and continue to innovate at scale,” he adds. “We have a strong and diverse team in place, and I’m confident everyone will navigate well during these turbulent times.” The Canadian billionaire entrepreneur signs off by saying he’s looking forward to helping Uber “brainstorm the next big idea”. Camp hasn’t been short of ideas over his career in tech. He’s the co-founder of the web 2.0 recommendatio
Post a Comment
Read more

Drone crash near kids leads Swiss Post and Matternet to suspend autonomous deliveries

A serious crash by a delivery drone in Switzerland have grounded the fleet and put a partnership on ice. Within a stone’s throw of a school, the incident raised grim possibilities for the possibilities of catastrophic failure of payload-bearing autonomous aerial vehicles. The drones were operated by Matternet as part of a partnership with the Swiss Post (i.e. the postal service), which was using the craft to dispatch lab samples from one medical center for priority cases. As far as potential applications of drone delivery, it’s a home run — but twice now the craft have crashed, first with a soft landing and the second time a very hard one. The first incident, in January, was the result of a GPS hardware error; the drone entered a planned failback state and deployed its emergency parachute, falling slowly to the ground. Measures were taken to improve the GPS systems. The second failure in May, however, led to the drone attempting to deploy its parachute again, only to sever the line
Post a Comment
Read more

ProtonMail logged IP address of French activist after order by Swiss authorities

ProtonMail , a hosted email service with a focus on end-to-end encrypted communications, has been facing criticism after a police report showed that French authorities managed to obtain the IP address of a French activist who was using the online service. The company has communicated widely about the incident, stating that it doesn’t log IP addresses by default and it only complies with local regulation — in that case Swiss law. While ProtonMail didn’t cooperate with French authorities, French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users. For the past year, a group of people have taken over a handful of commercial premises and apartments near Place Sainte Marthe in Paris. They want to fight against gentrification, real estate speculation, Airbnb and high-end restaurants. While it started as a local conflict, it quickly became a symbolic campaign. They attracted newspaper headlines when they started occupying prem
Post a Comment
Read more