A certificate researcher has found an exposed database on the internet belonging to online printing hulk Vistaprint.
Security researcher Oliver Hough discovered the unencrypted database last week. There was no password on the database, allowing anyone to access the data inside. The database was first detected by exposed device and database hunt engine Shodan on November 5, but it may have been exposed for longer.
Hough tweeted to warn the companion of the security lapse, but has not heard back.
Vistaprint, owned by Netherlands-based parent Cimpress, quietly took the database offline after TechCrunch reached out but did not comment by our deadline. Robert Crosland, a spokesperson for Vistaprint, said in a instruction after we published that the exposure affected customers in the U.S., the U.K. and Ireland.
This is unacceptable and should not have happened under any circumstances, the fellowship said. Were currently carrying out a full investigation to understand what happened and how to prevent any future recurrence. at this time, we doh not know whether this data has been accessed beyond the security researcher who found it, the spokesperson said.
The companion said it will inform customers of the exposure many of whom are protected under the strict GDPR data protection rules.
The database contained five tables stored with data on more than 51,000 customer service interactions, such as calls to customer service or chats with an online sustenance agent. The data also included personally identifiable information, including names and contact information, which could identify individual customers.
One tabularize named cases contained incoming customer queries, including the customers name, email address, phone number, and the engagement and time of their interaction with customer service. Many of those customer service interactions were as recent as mid-September.
The data also contained info hidden from the customer. Each customer service interaction in the cases tabularize appeared to have graded the customers query based off keywords picked from their query. That helped to determine the customers sentiment, which then described their complaint as either negative or neutral. The data also included the priority of a customers interaction, allowing it to live pushed higher in the queue.
Another table named chat contained thousands of customers line-by-line online confab interactions with livelihood agents, but also contained info about the customers browser and network connection, where they were located, and what operating system they used, and their internet provider.
Some of the recorded chat logs also contained sensitive information like order numbers and postal tracking numbers, but there were no passwords or financial data in the exposed database.
The emails table contained entire email threads with customers detailing problems or other issues with their orders. And, the phone table contained specific information about each call, including the date and time, how long the customer was kept on hold, a written transcript of the phone often including details of the customers orders and an internal tie-in (which we could not access) to the recording of the call.
The data also contained some account information, including work email addresses and some phone numbers belonging to Vistaprint customer service staff.
According to Hough, the database was not currently sending or receiving data. The database was named migration, suggesting the database was used to temporarily stock data while it was moved customer records from ace server to another.
But its not clear why the database was exposed and left online without a password.