Saks Fifth Avenue confirms data of high-net-worth individuals was exposed online

Victims included employees of NASA, IRS, homeland security and other government agencies

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Here’s yet anoth­er reminder that you should always have some “burn­er” email address accounts handy for inter­ac­tions with e-com­merce websites.

I’ve con­firmed that shop­pers at Saks Fifth Avenue who had asked the firm for noti­fi­ca­tions when sold-out items were avail­able had their per­son­al infor­ma­tion exposed by the firm.

Bob Sul­li­van, jour­nal­ist and one of the found­ing mem­bers of

Some 80,000 email address­es and/or phone num­bers were exposed, along with oth­er per­son­al nuggets—hints at where the vic­tims worked, and what items they ordered, for example.

Relat­ed video: Iden­ti­ty thieves tar­get high-net-worth individuals

The data was shared with me last week­end by Bill Ded­man at  It was vis­i­ble to the pub­lic dur­ing much of the week­end, but appeared to be removed from pub­lic view by Sun­day, March 19.

High-val­ue infor­ma­tion leaked

While the leak did not include pay­ment infor­ma­tion, a list of devot­ed Saks shop­pers would be a use­ful tool for would-be hack­ers and ID thieves. Pre­sum­ably, most would be high-net-worth indi­vid­u­als, and all of them would be wait­ing for an email from Saks with good news about a want­ed item—ideal for a phish­ing scam.

The list also poten­tial­ly could be embar­rass­ing for some. There are 90 .gov emails list­ed, for exam­ple, sug­gest­ing gov­ern­ment work­ers might be shop­ping while at work—or at least using tax­pay­er-sup­port­ed com­put­ers for per­son­al affairs.

NIH, IRS, USAID, NASA, and FERC domains were all spot­ted on the list. Sev­er­al New York City school domains also were on the list. And at least one DHS email also was spot­ted, which rais­es the addi­tion­al risk of com­pro­mis­ing some­one work­ing in home­land secu­ri­ty, then using that attack to gain oth­er sen­si­tive privileges.

SKUs for wait-list­ed items also were includ­ed, mean­ing some­one could look up the dress, shoes or even lin­gerie that cus­tomers were hop­ing to buy from Saks.

Keep spare account for purchases

At a bare min­i­mum, bet­ter dig­i­tal hygiene (a spare Gmail account) would pre­vent such users from hav­ing poten­tial­ly embar­rass­ing con­ver­sa­tions with their bosses.

For its part, Saks acknowl­edged the leak and said the prob­lem that caused it has been fixed. It con­firmed that the emails includ­ed cus­tomers who had signed up for “wait­ing list” noti­fi­ca­tions, and a few oth­er less com­mon cir­cum­stances. The firm’s gen­er­al mail­ing list was not impacted.

We take this mat­ter seri­ous­ly,” Saks said in a state­ment to me. “We want to reas­sure our cus­tomers that no cred­it, pay­ment or pass­word infor­ma­tion was ever exposed. The secu­ri­ty of our cus­tomers is of utmost pri­or­i­ty, and we are mov­ing quick­ly and aggres­sive­ly to resolve the sit­u­a­tion, which is lim­it­ed to a low, sin­gle-dig­it per­cent­age of email address­es. We have resolved any issue relat­ed to cus­tomer phone num­bers, which was an even small­er percent.”

It was unclear if Saks used a third-par­ty firm to main­tain the wait­ing list email data­bas­es; many retail­ers offer sim­i­lar wait-list features.

No wide­spread fraud at this time

There is no indi­ca­tion peo­ple on the list have been vic­tims of a fraud. It’s like­ly that the tool used to set up wait­ing list noti­fi­ca­tions was sim­ply mis­con­fig­ured and the dis­cov­ery was made by a white-hat hack­er, who passed it along to Dedman.

Still, Saks cus­tomers should use extra skep­ti­cism when open­ing emails for quite some time—from Saks, or from any­one else. It would be easy to con­struct a very tempt­ing email that said, “Caitlin: The dress you want­ed is now in stock! We could call you at 646 -XXX-XXX or sim­ply click here to order.”

And every­one read­ing this sto­ry should have a free, spare email address that they use for such inter­ac­tions with e-com­merce firms—an address that wouldn’t put you at great risk if it were hacked some day, or over­run with spam.

More relat­ed stories:
High net-worth clients tar­get­ed in Mor­gan Stan­ley breach
Hol­i­day pat­tern: high-end retail­ers inten­sive­ly track web users

Posted in Data Privacy, Data Security, Featured Story