Customer data-exposing website flaw remediated by clothing retailer Express

TechCrunch reports that major U.S. clothing retailer Express has fixed a vulnerability in its website, which exposed at least a dozen customers' sensitive data, including names, email addresses, postal, billing, and delivery addresses, order details, partial card information, and phone numbers, in search engine results.

"Upon becoming aware of this issue, we investigated and continue to review the matter and have no further comment at this time," said Express Head of Marketing Joe Berean. Security and privacy advocate Rey Bango discovered the flaw on the clothing retailer's website after a fraudulent purchase investigation. Bango disclosed the incident to TechCrunch, which verified that the flaw could be exploited to manipulate the order confirmation page to look at the details of other customers. No further details were shared regarding the company's means in verifying if there had been unauthorized access to the exposed data and plans on updating its website.

Two other incidents of security lapses were reported in December last year. Vetco Clinics' website exposed pet medical records and their customers' personal information, and Home Depot also inadvertently leaked its internal systems for a year.