Customer data exposed through OfficeMax site (flaw sighted)

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread
Posted at 5:22 p.m. PST Wednesday, Feb. 21, 2001

Customer data exposed through OfficeMax site USA Today

A security flaw in OfficeMax's Web site exposed some customers' personal information -- including credit card numbers, expiration dates and home addresses -- to other shoppers.

The problem has existed since the site was revamped in June, but OfficeMax was not aware of it until this week when a promotion drove a lot of traffic to the site, spokesman Steve Baisden said. Programmers were working late Wednesday to correct it. No estimates were given as to how long it would take.

More than 1.4 million people visited the office supply site in January, according to Media Metrix. No one knows how many users were affected by the flaw. Here's how it happened:

-- An OfficeMax.com customer spots a great deal on typing paper and sends the Web page address, featuring the paper, to a friend before completing his order.

-- The friend follows the link to OfficeMax.com and goes to purchase it, along with other items.

-- When the friend tries to place the order, he/she discovers that the shipping and billing blanks have been filled in with the first person's information. By selecting the ``Edit Existing Info'' option, the friend sees the first person's credit card number -- and can charge the order to it.

Customer Scott Berry, a software developer near Los Angeles, discovered the flaw when he tried to pass a free CD offer along to his boss. He says he first contacted OfficeMax Tuesday and was told there was no problem. He kept calling until he was told that the company was looking into it, but it wouldn't be fixed for several days. When Berry asked to have his personal information removed from the database, the company refused, he says. OfficeMax declined comment on his claims.

``You can really tell the quality of a company by how they respond to something like this,'' says Gary Clayton, a privacy consultant.

Experts say the flaw is less serious than hacker attacks that have stolen credit card numbers from Web sites such as Egghead.com and Western Union. That's because the OfficeMax flaw is tough for thieves to exploit because a shopper has to send a Web address to someone before his/her data are exposed.

http://www0.mercurycenter.com/svtech/news/breaking/merc/docs/056749.htm

-- Tess (webwoman@iamit.com), February 21, 2001

Moderation questions? read the FAQ