Tens of thousands of customers of Hudson's Bay had personal information visible on the Saks website.

Hudson’s Bay Co., the Canadian owner of luxury retailer Saks Fifth Avenue, exposed the personal information of tens of thousands of customers through the company’s websites.

The company, No. 75 in the Internet Retailer 2016 Top 500 Guide, posted information including email addresses and phone numbers for customers at Saks as well as identification codes for products that customers signed up for on wait-lists. The private data were taken down after Hudson’s Bay was contacted by BuzzFeed News, which first reported the exposure.

“The security of our customers is of utmost priority and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses,” a Hudson’s Bay spokeswoman said in an emailed statement Sunday. “We have resolved any issues related to customer phone numbers, which was an even smaller percent.”

No credit, payment or password information was ever exposed, according to the spokeswoman.

“The data leakage from the Saks Fifth Avenue breach can best be described as a misconfiguration; it appears that a back-end database that contained JSON [JavaScript Object Notation} information about customers was accessible without authentication,” says Alex Heid, chief research officer at vendor SecurityScorecard, which was founded in late 2013 by two former security leaders that worked at flash-sale e-retailer Gilt Groupe. Hudson’s Bay bought Gilt in January 2016.


“Fortunately, this information did not contain anything other than email addresses and phone numbers,” Heid says. “It does not seem that any passwords or credit card information was leaked. However, the availability of email addresses and phone numbers means that an attacker could have harvested a significant number of customers to target with a phishing/malware spam campaign sometime down the line, either via email or SMS [text].”

Such an accidental data leak “may result in reputation damage at minimum, or a real data breach incident as a worst case scenario,” Heid says. “Enterprises who run large scale e-commerce outlets are at risk for these types of accidental leaks, as oftentimes they are working with many moving parts that consist of rapidly deployed, cutting-edge technologies. Their focus is on functionality, rather that security,” he says.

“This breach is another easily avoidable and sad case of inadequate oversight on behalf of the information security team,” says George Avetisov, CEO of Hypr Corp., a security firm that uses biometrics such as fingerprints, facial and voice recognition to help retailers prevent fraud. “Breaches like this typically happen when an enterprise doesn’t follow best practices with regards to protecting customer data, either due to budget or resource constraints. While this may seem like minimal damage to their reputation, these incidents expose further weaknesses and can be followed by larger and more devastating breaches. Sadly, it looks like corporations still have much to learn from Yahoo.”