Vulnerability in Tommy Hilfiger Japan DB Exposes Hundreds of Thousands of Customers to Data Theft

Paul Kane writes:

Hacker-activists Noam Rotem and Ran L from Safety Detective’s research lab recently revealed a significant security breach in the Tommy Hilfiger Japan client database – leaving the private and personal details of hundreds of thousands of customers up for grabs.

Nearly 1 Million Website Visits

Tommy Hilfiger’s Japanese website, which received nearly one million visits so far this year, runs on an open Elasticsearch server not intended for URL access. But with minimal manipulation, the research team was able to find the gaping security oversight to the customer database.

Unprotected Customer Data Up for Grabs

The unsecured database provided easy access to the personal details of hundreds of thousand of customers in Japan, including first and last names, addresses, phone numbers, email addresses, dates of birth, last purchase dates, total orders made, and membership numbers.  Alarmingly, the unencrypted info, stretching as far back as 2014, was accessible without a password, leaving the sensitive data completely unprotected.

Read more on SafetyDetective.

About the author: Dissent