Printing company Vistaprint left an online database containing customer interactions unencrypted, according to a report.
A security researcher named Oliver Hough discovered the unprotected database on Nov. 5. He reached out to the company but didn’t hear back. After the report was published, the company quietly took down the database.
Vistaprint is owned by Cimpress, a company based in the Netherlands. Robert Crosland, a spokesperson for Vistaprint, said customers in the U.S., U.K. and Ireland were affected.
“This is unacceptable and should not have happened under any circumstances,” the company said. “We’re currently carrying out a full investigation to understand what happened and how to prevent any future recurrence. At this time, we do not know whether this data has been accessed beyond the security researcher who found it.”
Crosland noted that the company planned to tell customers about the breach. The database included personally identifiable information on upwards of 51,000 customer service interactions, such as chats with agents or support phone calls.
Some of the interactions contained in the database occurred as recently as September. One of the tables was called “chat,” and included line-by-line conversations between customers and the company. Other information included order numbers and postal tracking data. There were also entire email threads and specific information about phone calls, such as the customer’s mood and the pertinency of the interaction.
Hough said the database was titled “migration,” meaning that it was potentially used to store data before it was moved.
The Vistaprint spokesperson did not provide a reason for why the database was left online without protection.
Vistaprint was started in 1995 and was one of the first companies to take advantage of publishing through the internet. The company was started by Robert Keane, the CEO of Cimpress.