Online retailer Buy.com Inc. and United Parcel Service of America Inc. Friday confirmed that a glitch in a new product-returns system used by Buy.com’s Web site exposed the names, addresses and telephone numbers of some of its customers to other Internet users.
In a statement, Aliso Viejo, Calif.-based Buy.com said it and UPS “have implemented a technical solution concerning the online returns process” after learning that information about a “small number” of customers was briefly viewable on electronic shipping labels provided by UPS as part of a service announced last month.
Buy.com is the first Internet-based retailer to use the online returns service, which provides online shoppers with on-screen labels that they can print out and attach to the packages they wish to return. A Buy.com spokeswoman said the company would have no further comment on the glitch with the servers that run the UPS service.
But Steve Holmes, a spokesman for Atlanta-based UPS, said credit-card numbers and other personal financial data collected from Buy.com customers as part of online transactions weren’t exposed to other users. “Basically, it was just what’s contained in a phone book,” Holmes said, although he added that UPS isn’t trying to downplay the seriousness of the security hole in its servers.
The problem occurred when a customer was returning some merchandise purchased from Buy.com, Holmes said. When a user fills out the return shipping label, the UPS system automatically generates a Web page containing the label. By changing one number in the URL of such a page, Holmes said, the customer who reported the problem was able to see the mailing information of other customers.
“Buy.com provides us the customer information, [which] we then provide back to them in the form of a shipping label,” Holmes said. “The problem is they gave us that information in sequential order.” Because of that, he added, it was easy for an outsider to figure out that he could view someone else’s information simply by changing a single number in the URL.
However, Holmes noted that each label was saved as an image file and not as a data link, which he said made it impossible to create a software program that could automatically capture all the information.
Andrew Shen, a policy analyst at the Electronic Privacy Information Center in Washington, said Buy.com’s first responsibility is to notify its customers about the security hole. “I think we’re realizing that there is no such thing as perfect security,” he said. “But the [issue] is how companies respond when they discover [a glitch].”
Shen added that some people have unlisted telephone numbers and don’t want their information given out, especially via a medium such as the Internet.