News November 27, 2019
Vistaprint Concludes Database Investigation
The global e-commerce seller says the database contained information relating to less than 30,000 customers.
Vistaprint, a global e-commerce seller of promotional products and printed marketing materials owned by Top 40 distributor Cimpress (asi/162149), has concluded its investigation regarding a customer service database that was left unprotected.
Vistaprint says that no one outside of the company accessed the data beyond security researcher Oliver Hough, who discovered the database last week, and TechCrunch, which reported the security lapse on Monday.
Contrary to TechCrunch’s report that more than 51,000 customer service interactions, including calls, chats and emails, were unveiled, Vistaprint has confirmed that the database contained information regarding less than 30,000 customers out of its 17 million customers worldwide. Vistaprint has also verified that no credit or debit card information was contained within the database. The Massachusetts-based company says it’s continuing to check every relevant customer chat transcript to ensure that no additional financial data was discussed or included.
“This is unacceptable; this should not have happened under any circumstances and we are extremely sorry,” said Ian Amit, chief security officer at Cimpress, parent company of Vistaprint. “As a priority, we are now contacting all affected customers to inform them of next steps. We are carrying out a full investigation to understand exactly what occurred and how to prevent anything like this happening in the future.”
First detected by search engine Shodan on Nov. 5, Vistaprint’s database may have been exposed before then. Hough discovered the unencrypted database last week, tweeting Vistaprint about the security lapse, but never hearing back. Vistaprint then quietly took the database offline after TechCrunch reached out.
Hey @Vistaprint do you have a bug bounty program? or a security contact I can talk to. Got something here that your security team will want to look at ASAP
— Oliver Hough (@olihough86) November 21, 2019
my DM's are open
yo @Cimpress you own Vistaprint now right? can you hook me up with a security contact? Got a database they need to take down ASAP
— Oliver Hough (@olihough86) November 23, 2019
Just in case anyone was wondering what my cryptic tweets to @vistaprint and @Cimpress were all about. https://t.co/8yKTzxkhHQ
— Oliver Hough (@olihough86) November 25, 2019
The database contained five tables stored with data, TechCrunch reported. The data featured incoming customer queries, including the customer’s name, email address, phone number and the date and time of their interaction with customer service. Many of those customer service interactions were as recent as mid-September. Another table named “chat” contained thousands of customers’ line-by-line online chat interactions with support agents. Additionally, the table contained information about the customer’s browser and network connection, where they were located, what operating system they used and their internet provider. Some of the recorded chat logs also contained order numbers and postal tracking numbers. The “emails” table contained entire email threads with customers detailing problems with their orders or other issues. The “phone” table contained specific information about each call, including the date and time, how long the customer was kept on hold, a written transcript of the call and an internal link to the recording of the call. The data also contained some account information, including work email addresses and some phone numbers belonging to Vistaprint customer service staff.
According to Hough, the database was not currently sending or receiving data. The database was named “migration,” suggesting the database was used to temporarily store data while it was moving customer records from one server to another. However, there was no password on the database, allowing anyone to access the data inside.
Counselor ranks Cimpress as the fourth largest distributor in the industry, estimating the firm’s 2018 North American promo product sales were $450 million.