[BreachExchange] Unencrypted Vistaprint Database Exposed Personal Customer Data

Destry Winant destry at riskbasedsecurity.com
Mon Dec 2 10:09:58 EST 2019


Printing company Vistaprint left an online database containing
customer interactions unencrypted, according to a report.

A security researcher named Oliver Hough discovered the unprotected
database on Nov. 5. He reached out to the company but didn’t hear
back. After the report was published, the company quietly took down
the database.

Vistaprint is owned by Cimpress, a company based in the Netherlands.
Robert Crosland, a spokesperson for Vistaprint, said customers in the
U.S., U.K. and Ireland were affected.

“This is unacceptable and should not have happened under any
circumstances,” the company said. “We’re currently carrying out a full
investigation to understand what happened and how to prevent any
future recurrence. At this time, we do not know whether this data has
been accessed beyond the security researcher who found it.”

Crosland noted that the company planned to tell customers about the
breach. The database included personally identifiable information on
upwards of 51,000 customer service interactions, such as chats with
agents or support phone calls.

Some of the interactions contained in the database occurred as
recently as September. One of the tables was called “chat,” and
included line-by-line conversations between customers and the company.
Other information included order numbers and postal tracking data.
There were also entire email threads and specific information about
phone calls, such as the customer’s mood and the pertinency of the

Hough said the database was titled “migration,” meaning that it was
potentially used to store data before it was moved.

The Vistaprint spokesperson did not provide a reason for why the
database was left online without protection.

Vistaprint was started in 1995 and was one of the first companies to
take advantage of publishing through the internet. The company was
started by Robert Keane, the CEO of Cimpress.

More information about the BreachExchange mailing list