[BreachExchange] Personal Data From Hundreds Of Thousands Tommy Hilfiger Japan Customers Was Exposed Online

Wed May 1 09:44:47 EDT 2019

https://www.forbes.com/sites/ajdellinger/2019/04/30/personal-data-from-hundreds-of-thousands-tommy-hilfiger-japan-customers-was-exposed-online/#5942732515f0

A security vulnerability discovered on the Tommy Hilfiger Japan website
resulted in the personal information of tens of thousands of customers
being exposed online for anyone to see. The issue was first discovered
<https://www.safetydetective.com/blog/tommy-hifilger-jp/> by Noam Rotem and
Ran L, two researchers from security firm Safety Detective
<https://www.safetydetective.com/>, and has since been addressed by Tommy
Hilfiger Japan and parent company PVH Corp.

According to Safety Detective, the issue stemmed from a misconfigured
Elasticsearch database. With what the researchers describe as "minimal
manipulation," the vulnerability could be exploited to gain access to
customer data. Full names, addresses, phone numbers, email addresses and
date of birth were accessible in unencrypted plaintext format.

Credit cards and other financial information do not appear to be a part of
the leaking server, so this isn't quite a Target
<https://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/#4266d660e795>
or Home Depot
<https://www.forbes.com/sites/katevinton/2014/09/18/with-56-million-cards-compromised-home-depots-breach-is-bigger-than-targets/#8f76f383e742>
situation. But transaction information was available in the exposed
database. That includes the date of purchase, total orders made and
membership ID numbers, as well as details on "millions of orders," per
Safety Detective. Details like product descriptions, prices, sizes, SKUs
and other information was accessible While it's not clear exactly how many
records were available, the researchers claim to have found records dating
back as far as 2014.

While it's unlikely that any malicious actor who found the information
could hijack a person's account or start racking up fees for unsuspecting
Tommy Hilfiger Japan shoppers, the data could be used in a social
engineering attack. The researchers at Safety Detective explained that by
using a person's contact information and transaction history, an attacker
may be able to reach a customer via phone or email posing as a Tommy
Hilfiger employee and ask for other information like credit card numbers.

Tommy Hilfiger was contacted regarding the reported vulnerability. "We take
this allegation seriously," a spokesperson for the company said when
approached about the issue. The company's representatives were put in
contact with the researchers at Safety Detective, and the issue was
escalated to PVH Corp.—one of the largest fashion companies in the world
and the parent company of Tommy Hilfiger, Calvin Klein, IZOD and others.

A representative for PVH Corp. disclosed that the issue stemmed from a
third-party operator that manages the Tommy Hilfiger Japan website and has
since been fixed. The researchers at Safety Detective said the company
"acted quickly" to address the issues. No other Tommy Hilfiger or PVH Corp.
website appear affected by the vulnerability.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190501/22d4aeb9/attachment.html>