Signet Jewelers, the company that owns Jared and Kay Jewelers, has fixed a massive data breach that allowed anyone to view the order information of other customers, including a home address and the last four digits of a purchaser’s credit card, according to a Monday (December 3) report.
The problem came to light in the middle of November, when a web designer in Dallas named Brandon Sheehy bought a pair of earrings for his girlfriend from Jared online.
Sheehy found out that when he modified the link in the confirmation email just slightly, and pasted it into a web browser, he could see another customer’s order. The information clearly showed the customer’s name, shipping and billing address, phone number, email address, all items and total amounts, the delivery date, the tracking link and the last four digits of the customer’s credit card number.
“My first thought was they could track a package of jewelry to someone’s door and swipe it off their doorstep,” he said. “My second thought was that someone could call Jared’s customers and pretend to be Jared, reading the last four digits of the customer’s card and saying there’d been a problem with the order, and if they could get a different card for the customer they could run it right away and get the order out quickly. That would be a pretty convincing scam. Or just targeted phishing attacks.”
Sheehy contacted Jared’s parent company, Signet Jewelers, to report the issue and ask that it be resolved, he said, but he could still see the info for weeks.
Scott Lancaster, the chief information security officer at Signet, said the company fixed the issue for all future orders, but until recently didn’t fix the issue for past orders.
“When a customer first brought this matter to our attention in early November, we fixed it for all new orders going forward,” Lancaster said. “But we didn’t notice at the time that this applied to all past orders as well as future orders.”