[BreachExchange] Jared And Kay Jewelers Fix Consumer Data Breach

Destry Winant destry at riskbasedsecurity.com
Mon Dec 10 01:47:01 EST 2018 

https://www.pymnts.com/news/security-and-risk/2018/jared-signet-kay-jewelers-data-breach/

Signet Jewelers, the company that owns Jared and Kay Jewelers, has
fixed a massive data breach that allowed anyone to view the order
information of other customers, including a home address and the last
four digits of a purchaser’s credit card, according to a Monday
(December 3)  report.

The problem came to light in the middle of November, when a web
designer in Dallas named Brandon Sheehy bought a pair of earrings for
his girlfriend from Jared online.

Sheehy found out that when he modified the link in the confirmation
email just slightly, and pasted it into a web browser, he could see
another customer’s order. The information clearly showed the
customer’s name, shipping and billing address, phone number, email
address, all items and total amounts, the delivery date, the tracking
link and the last four digits of the customer’s credit card number.

“My first thought was they could track a package of jewelry to
someone’s door and swipe it off their doorstep,” he said. “My second
thought was that someone could call Jared’s customers and pretend to
be Jared, reading the last four digits of the customer’s card and
saying there’d been a problem with the order, and if they could get a
different card for the customer they could run it right away and get
the order out quickly. That would be a pretty convincing scam. Or just
targeted phishing attacks.”

Sheehy contacted Jared’s parent company, Signet Jewelers, to report
the issue and ask that it be resolved, he said, but he could still see
the info for weeks.

Scott Lancaster, the chief information security officer at Signet,
said the company fixed the issue for all future orders, but until
recently didn’t fix the issue for past orders.

“When a customer first brought this matter to our attention in early
November, we fixed it for all new orders going forward,” Lancaster
said. “But we didn’t notice at the time that this applied to all past
orders as well as future orders.”

More information about the BreachExchange mailing list