UPDATE: Vistaprint Left Customer Calls, Chats and Emails in Unencrypted Online Database
Vistaprint left calls, chats and emails from customer service interactions in an unencrypted online database, leaving potentially sensitive customer information exposed. According to TechCrunch, security researcher Oliver Hough notified the company via Twitter after the database came up in Shodan, an exposed device and database search engine, on Nov. 5.
TechCrunch reported that the database stored some 51,000 customer service interactions and included customer names, phone numbers, email addresses and more. A Vistaprint representative told TechCrunch that customers in the U.S., the U.K. and Ireland may have been affected.
“This is unacceptable and should not have happened under any circumstances,” the company told TechCrunch. “We’re currently carrying out a full investigation to understand what happened and how to prevent any future recurrence. At this time, we do not know whether this data has been accessed beyond the security researcher who found it."
Hey @Vistaprint do you have a bug bounty program? or a security contact I can talk to. Got something here that your security team will want to look at ASAP
my DM's are open
— Oliver Hough (@olihough86) November 21, 2019
It's unclear how long the database had been exposed, but some of the data was from as recently as September 2019. TechCrunch noted that no passwords or financial information appeared in the database, though there were other specific details about each customer interaction:
The “emails” table contained entire email threads with customers detailing problems or other issues with their orders. And, the “phone” table contained specific information about each call, including the date and time, how long the customer was kept on hold, a written transcript of the call—often including details of the customer’s orders—and an internal link (which we could not access) to the recording of the call.
The data also contained some account information, including work email addresses and some phone numbers belonging to Vistaprint customer service staff.
Vistaprint said it would notify affected customers of the potential breach and was working to discover how the database had been left unprotected, and for how long. According to TechCrunch, Hough said the database was named "migration," indicating it was potentially used as a temporary storage area that Vistaprint accidentally left online after moving customer records to another location.
Various prominent promotional products companies have dealt with data breaches or malware attacks in the last few years, including alphabroder, Hit Promotional Products, DiscountMugs.com and others. The most devastating of these was the ransomware attack that hit supplier Colorado Timberline in 2018, forcing the company to permanently shut down.
Data security has never been more difficult or essential for businesses. As we've seen in most of these cases, both inside and outside the promo industry, informing customers of potential data breaches quickly and thoroughly is absolutely critical. Not every attack can be stopped, but a fast response can help keep customers protected and salvage relationships.
It appears Vistaprint did this when notified of the exposed database. Hopefully none of its customer data ended up in the wrong hands.
UPDATE 12/2: After this article was published, a Vistaprint representative sent the below statement to Promo Marketing:
We can confirm that a Vistaprint internal research database affecting some customer data became publicly available online. We have already taken the database offline and can confirm that it is no longer accessible. Following an investigation, we concluded that no one outside of Vistaprint accessed the data beyond the security researcher and journalist who found it.
The database contained information relating to less than 30,000 customers out of our 17 million customers worldwide, including names, email addresses, phone numbers and some customer chat transcripts. We have verified that no credit or debit card information was contained within this database. We are continuing to check every relevant customer chat transcript to ensure that no additional financial data was discussed or included during these chats.
Ian Amit, chief security officer at Cimpress, parent company of Vistaprint, said: “This is unacceptable; this should not have happened under any circumstances and we are extremely sorry. As a priority, we are now contacting all affected customers to inform them of next steps. We are carrying out a full investigation to understand exactly what occurred and how to prevent anything like this happening in the future.”
“If any of our customers have any questions on this matter, I encourage them to contact our customer care team on (866) 870-4125 or via email at firstname.lastname@example.org. They will be able to help with individual concerns.”