Vistaprint cock-up triggers online customer data leak

Vistaprint, the online printing giant, has admitted to a “unacceptable” breach of customer data after exposing the details of thousands of customers in an unencrypted database which was left online with no password protection.

Security researcher Oliver Hough, who first discovered the data, contacted the firm via Twitter to warn of the security lapse but has not heard back.

Vistaprint’s Netherlands-based parent Cimpress has since taken the database offline but has admitted that the breach has affected customers in the UK, Ireland and the US.

The database contained five tables stored with data on more than 51,000 customer service interactions, such as calls to customer service or chats with an online support agent. The data also included personally identifiable information, including names and contact information.

One table named “cases” contained incoming customer queries, including the customer’s name, email address, phone number, and the date and time of their interaction with customer service. Many of those customer service interactions were as recent as mid-September.

Another table named “chat” contained thousands of customers’ line-by-line online interactions with support agents, but also contained information about the customer’s browser and network connection, where they were located, and what operating system they used, and their Internet service provider.

Some of the recorded chat logs also contained sensitive information like order numbers and postal tracking numbers, but there were no passwords or financial data in the exposed database.

In a statement, the company said: “This is unacceptable and should not have happened under any circumstances. We’re currently carrying out a full investigation to understand what happened and how to prevent any future recurrence. At this time, we do not know whether this data has been accessed beyond the security researcher who found it.”

The company said it will inform affected customers, but did not confirm whether it will also fess up to the Information Commissioner’s Office.

UPDATE: Vistaprint has released a new statement in which it said: “We can confirm that a Vistaprint internal research database, affecting some customer data became publicly available online. We have already taken the database offline and can confirm that it is no longer accessible. Following an investigation, we concluded that no one outside of Vistaprint accessed the data beyond the security researcher and journalist who found it.

“The database contained information relating to less than 30,000 customers out of our 17 million customers worldwide, including names, email addresses, phone numbers and some customer chat transcripts. We have verified that no credit or debit card information was contained within this database. We are continuing to check every relevant customer chat transcript to ensure that no additional financial data was discussed or included during these chats.”