Signet Jewelers has fixed a possible security issue on its Kay and Jared e-commerce sites, which risked exposing some its customers’ personal information.
This week, cybercrime blog Krebs on Security reported it had been contacted by a Jared customer who complained that he could see other customers’ order information when he modified the address on his confirmation email. That info included the customers’ order, name, address, and the last four digits of their credit card.
“My first thought was [thieves] could track a package of jewelry to someone’s door and swipe it off their doorstep,” the man told the site. “My second thought was that someone could call Jared’s customers and pretend to be Jared, reading the last four digits of the customer’s card and saying there’d been a problem with the order, and if they could get a different card for the customer they could run it right away and get the order out quickly.”
In a statement, Signet said that it was “confident” the issue had been addressed. It noted that the order confirmations did not include sensitive information such as full credit card numbers, usernames and passwords, and Social Security numbers. It also never affected its point-of-sale systems or the Zales or Piercing Pagoda sites.
“We are a customer-first company, and when we fall short of expectations, we own it,” said the statement. “While we immediately addressed and fixed this configuration detail for all past, present, and future orders, we are continuing to work with multiple third‐party experts to confirm and enhance the security of our e-commerce websites. Furthermore, Signet’s operations are certified as compliant with Payment Card Industry security standards after required audits and penetration tests.”
(Image from Digital.gov)