Tommy Hilfiger’s Japanese website, which received nearly one million visits so far in 2019, runs on an open Elasticsearch server not intended for URL access. But with minimal manipulation, the research team of Safety Detective was able to find the gaping security oversight to the customer database.
The unsecured database provided easy access to the personal details of hundreds of thousand of customers in Japan, including first and last names, addresses, phone numbers, email addresses, dates of birth, last purchase dates, total orders made, and membership numbers. The unencrypted info, stretching as far back as 2014, was accessible without a password, leaving the sensitive data completely unprotected.
In addition to the vast customer info, details on millions of orders were also accessible, including product descriptions, prices, pictures, sizes, SKUs, and manufacturing dates; as well as nation wide store locators complete with phone numbers, addresses, and more.Safety Detective team spoke to the Senior Vice President of Security at PVH, the parent company of Tommy Hilfiger (as well as Calvin Klein, Van Heusen, IZOD, ARROW, Speedo, Warner’s, and Olga), who acted quickly after receiving the disclosure to shut down the affected servers.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now