UPDATED 21:26 EDT / NOVEMBER 25 2019

SECURITY

Vistaprint exposes customer data via unsecured database

Online printing service Vistaprint is the latest company to expose customer data online in what seems like a never-ending stream of companies exposing data to all and sundry.

The database, which contained more than 51,000 customer service interactions, was found by security researcher Oliver Hough via the Shodan security search engine, and it was not protected with a password.

It included the customer’s name, email address, phone number and the date and time of their interaction with customer service and other fields, including browser and network connection, operating system and internet service provider. The most recent records in the database, covering customers in the U.S., the U.K. and Ireland, dated to mid-September.

Hough reached out to Vistaprint but received no response and the database remained online. The database was only taken offline after TechCrunch today contacted the company, owned by Cimpress N.V., to ask it for details of the data breach.

“This is unacceptable and should not have happened under any circumstances,” the company told TechCrunch. “We’re currently carrying out a full investigation to understand what happened and how to prevent any future recurrence. At this time, we do not know whether this data has been accessed beyond the security researcher who found it.”

Since the parent company is located in The Netherlands, it’s subject to the European Union General Data Protection Regulation. Although Vistaprint says that it will now inform customers of the data breach, the regulation also imposes penalties where companies have not taken adequate measures to secure customer data. Not setting a password on a database hosted online would certainly meet the criteria of failing to undertake adequate security measures.

European bodies tasked with enforcing GDPR have been active in doing so. In October the European Data Protection Supervisor found that Microsoft Corp. contracts had breached the regulation. In May the U.K.’s Information Commissioner’s Office fined Marriott International Inc. $123.6 million for a 2018 data breach.

“Companies are all too often unaware of the possibility for others to find systems exposed to the Internet,” Craig Young, computer security researcher for cybersecurity firm Tripwire Inc.’s vulnerability and exposure research team, told SiliconANGLE. “Tools like Rob Graham’s masscan and services like Shodan or Censys now make it that much easier for minimally resourced individuals to scour the internet and reveal systems not intended for general public access.”

Image: Vistaprint

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU