The email addresses for thousands of Saks Fifth Avenue customers were sitting on the retailer’s website, unencrypted, for an unknown period of time.
BuzzFeed News reports that the list, which has since been removed from the internet, was likely created as a result of Saks’ parent company Hudson’s Bay sorting customer information into plain text on its servers.
While the information didn’t include payment information for customers, it did contain several IP addresses and product codes for items that customers had expressed interest in purchasing.
BuzzFeed News reports that the information was removed after the publication contacted Hudson’s Bay for comment.
“We take this matter seriously,” an HBC spokesperson told BuzzFeed News. “The security of our customers is of utmost priority and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller percent.”
The retailer added that it has teams dedicated to the security of customers’ data, including following “industry best practices for information security.”
BuzzFeed also alleges that some pages on the Saks site were not properly secured, potentially leaving online shoppers vulnerable. The article is not clear on whether that issue has been addressed by Saks or HBC. We’ve written to the company for clarification and will update if we receive a response.
UPDATE: The company has not yet addressed our specific questions, but provided the following statement to Consumerist —
“The security of our customers is of utmost priority and we have resolved the issue related to our product waitlist. We want to reassure our customers that no credit, payment, or password information was ever exposed. We moved quickly and aggressively to address this issue, which was limited to a low single-digit percentage of email addresses and an even smaller percent of phone numbers of customers who had signed up for product on our waitlist. Beyond this matter, we continually review and enhance the security of our website and all of our communications.”