Vulnerability in Tommy Hilfiger Japan DB Exposes Hundreds of Thousands of Customers to Data Theft

Vulnerability in Tommy Hilfiger Japan DB Exposes Hundreds of Thousands of Customers to Data Theft
Paul Kane
BY: Paul Kane
Posted: April 30, 2019

Hacker-activists Noam Rotem and Ran L from Safety Detective’s research lab recently revealed a significant security breach in the Tommy Hilfiger Japan client database – leaving the private and personal details of hundreds of thousands of customers up for grabs.

Nearly 1 Million Website Visits

Tommy Hilfiger’s Japanese website, which received nearly one million visits so far this year, runs on an open Elasticsearch server not intended for URL access. But with minimal manipulation, the research team was able to find the gaping security oversight to the customer database.

Unprotected Customer Data Up for Grabs

The unsecured database provided easy access to the personal details of hundreds of thousand of customers in Japan, including first and last names, addresses, phone numbers, email addresses, dates of birth, last purchase dates, total orders made, and membership numbers.  Alarmingly, the unencrypted info, stretching as far back as 2014, was accessible without a password, leaving the sensitive data completely unprotected.

Unprotected Customer Data Up for Grabs

This screen capture shows the personal details of two out of hundreds of thousands of Japanese Tommy Hilfiger customers.

Millions of Orders Open to Hacking and Data Theft

In addition to the vast customer info, details on millions of orders were also easily accessible, including product descriptions, prices, pictures, sizes, SKUs, and manufacturing dates; as well as nation wide store locators complete with phone numbers, addresses, and more.

Millions of Orders Open to Hacking and Data Theft

This screen capture displays details on two out of millions of Tommy Hilfiger Japan customer orders.

PVH Corp. Reply

We spoke to the Senior Vice President of Security at PVH Corp., the parent company of Tommy Hilfiger (as well as Calvin Klein, Van Heusen, IZOD, ARROW, Speedo, Warner’s, and Olga), who acted quickly after receiving our disclosure to shut down the affected servers. He later thanked us for our report and efforts to seal the breach.

Since PVH Corp. powers a number of fashion brands in addition to Tommy Hilfiger, it’s not clear if the vulnerability may have also affected other websites. In this case, the breach seems to have only impacted Japan.

Scanning The Web For Major Vulnerabilities

The cyber security research team makes a point of scanning the web for potential vulnerabilities, in order to help spread public awareness and prompt companies like Tommy Hilfiger to take action against potential security oversights before criminals and bad actors can exploit them

About Us

SafetyDetective.com is the world’s largest antivirus review website. The Safety Detective research lab is a pro bono service that aims to help the online community defend itself against cyber threats, while educating organizations on protecting their users’ data.

You may also be interested in reading about a major security breach found in hospitals and supermarkets, and a recently discovered vulnerability affecting nearly half of all airlines worldwide.

 

About the Author

Paul Kane
Paul Kane

Paul is an avid copywriter and editor with a keen interest in cyber security and high tech.