Baby Clothes Giant Carter’s Leaks 410K Customer Records

Purchase automation software delivered shortened URLs without protections.

Baby clothes retailer Carter’s inadvertently exposed the personal data of hundreds of thousands of its customers, dating back years, according to a new disclosure.

The issue started with Linc, which is a vendor the company used to automate purchases online, according to analysts with vpnMentor who first discovered the issue. The Linc system was delivering customers shortened URLs with Carter’s purchase and shipping details without basic security protections. The links contained everything from purchase details to tracking information and more.

“Furthermore, by modifying the Linc URLs (to which the shortened URLs were redirecting), it was possible to access backend JSON data, which revealed even more personal information about customers that wasn’t exposed by the confirmation pages, such as: Full names delivery addresses and phone numbers,” the report explained.

The analysts calculated that more than 410,000 records, and hundreds of thousands of customer records, were exposed in the leak — which they estimated dates as far back as 2015.

“Those shortened URLs were easily discoverable to hackers due to a lack of sufficient entropy or compensating security protocols,” the vpnMentor analysts wrote. “Carter’s also put no authentication in place to verify that only the person who’d made the purchase could visit the confirmation page.”

Compounding the risk, the researchers found that the links never expired, meaning customers who might have purchased from Carter’s years ago were still potentially in danger.

Carter’s Customers Exposed to Phishing Scams, Other Fraud

This kind of granular customer data could be used by threat actors in a fraudulent phishing campaign appearing to be from Carter’s, to scam victims into giving up even more sensitive data, like credit-card information.

“For more recent orders, hackers could simply ring up a Carter’s customer to discuss purchases made and pose as couriers or customer support, building rapport with the target and ensnaring in criminal schemes,” the vpnMentor researchers warned. “Finally, for any purchases still on their way to a customer, hackers could redirect deliveries and steal them, reselling any Carter’s stolen products online.”

When the team contacted Carter’s on March 17 with the details of the breach, they were told to submit the report through other channels, rather than directly to the company. Eventually the shortened URLs were deactivated, according to vpnMentor’s report, sometime between April 4 and 7.

Carter’s, which accounts for 25 percent of the total $3 billion baby apparel market, was not able to be reached for comment. Linc, the vendor identified as sending out unprotected shortened URLs, also did not respond to requests for comment from Threatpost.

Carter’s joins other big-name retail brands like Hobby Lobby and Kmart, which have been forced to grapple with large-scale data breaches.

Researchers with vpnMentor suggested that Carters’ customers who are concerned that their data might have been part of the breach should contact the company directly for answers.

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles

Discussion

  • Elaine Engen on

    What are you doing to rectify the situation? I’ve been getting a lot of weird emails. Which leads me to believe my information was compromised. I’ve also had threats on my credit card. Since I used it in your store in Iowa. I’d like to know what you were doing about it
  • Swetha on

    This giant company spends money to stop accepting wrong coupon codes or repeated coupon codes in the checkout section. Instead of doing that, if they would have been cautious about hacking and spend the same amount of money on protecting the website. This would have saved lot of money and any unwanted leaks of customers.
  • Anonymous on

    Totally agreed
  • Jode on

    I am absolutely worried. As a Carters customer, they haven't been transparent about this issue. A letter should have been sent to all customers advising of this breach.
  • Brian H on

    Yes Elaine, this Threatpost article comment section is where you can ask Carter's your questions directly and expect responses. They have staff monitoring the comments of this particular article 24/7, after all.
  • Angela Wilson on

    Well I think this is just crazy!! My info is now in n danger on the internet and I shop with Carter often and have advised many friends to shop with them as well! Now this information about a breach! I think the company has a duty to let there customer know when something like this happens and it should be sooner than later! Very disappointed ☹️!
  • Dorothea English on

    This is just absurd, Carters should have sent something out to customers, I shop often online with Carters and now my info maybe in danger, I may not shop Carters for awhile now.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.