<div dir="ltr"><div dir="ltr"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><a href="https://www.forbes.com/sites/ajdellinger/2019/04/30/personal-data-from-hundreds-of-thousands-tommy-hilfiger-japan-customers-was-exposed-online/#5942732515f0">https://www.forbes.com/sites/ajdellinger/2019/04/30/personal-data-from-hundreds-of-thousands-tommy-hilfiger-japan-customers-was-exposed-online/#5942732515f0</a><br></div></div><div dir="ltr"><br></div><div dir="ltr"><p class="gmail-speakable-paragraph">A security vulnerability discovered on
the Tommy Hilfiger Japan website resulted in the personal information of
tens of thousands of customers being exposed online for anyone to see.
The issue was <a href="https://www.safetydetective.com/blog/tommy-hifilger-jp/" target="_blank" rel="nofollow noopener">first discovered</a> by Noam Rotem and Ran L, two researchers from security firm <a href="https://www.safetydetective.com/" target="_blank" rel="nofollow noopener">Safety Detective</a>, and has since been addressed by Tommy Hilfiger Japan and parent company PVH Corp.</p>
<p>According to Safety Detective, the issue stemmed from a misconfigured
Elasticsearch database. With what the researchers describe as "minimal
manipulation," the vulnerability could be exploited to gain access to
customer data. Full names, addresses, phone numbers, email addresses and
date of birth were accessible in unencrypted plaintext format.</p>
<p>Credit cards and other financial information do not appear to be a part of the leaking server, so this isn't quite a <a href="https://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/#4266d660e795" target="_self">Target</a> or <a href="https://www.forbes.com/sites/katevinton/2014/09/18/with-56-million-cards-compromised-home-depots-breach-is-bigger-than-targets/#8f76f383e742" target="_self">Home Depot</a>
situation. But transaction information was available in the exposed
database. That includes the date of purchase, total orders made and
membership ID numbers, as well as details on "millions of orders," per
Safety Detective. Details like product descriptions, prices, sizes, SKUs
and other information was accessible While it's not clear exactly how
many records were available, the researchers claim to have found records
dating back as far as 2014.</p>
<p>
<span></span></p><div id="gmail-article-0-inread"></div><p></p>
<p>While it's unlikely that any malicious actor who found the
information could hijack a person's account or start racking up fees for
unsuspecting Tommy Hilfiger Japan shoppers, the data could be used in a
social engineering attack. The researchers at Safety Detective
explained that by using a person's contact information and transaction
history, an attacker may be able to reach a customer via phone or email
posing as a Tommy Hilfiger employee and ask for other information like
credit card numbers.</p>
<p>Tommy Hilfiger was contacted regarding the reported vulnerability.
"We take this allegation seriously," a spokesperson for the company said
when approached about the issue. The company's representatives were put
in contact with the researchers at Safety Detective, and the issue was
escalated to PVH Corp.—one of the largest fashion companies in the world
and the parent company of Tommy Hilfiger, Calvin Klein, IZOD and
others.</p><p>A representative for PVH Corp. disclosed that the issue stemmed from a
third-party operator that manages the Tommy Hilfiger Japan website and
has since been fixed. The researchers at Safety Detective said the
company "acted quickly" to address the issues. No other Tommy Hilfiger
or PVH Corp. website appear affected by the vulnerability.<br></p>
<div class="gmail-vestpocket">
<h2></h2></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>