Buy.com repairs customer-data glitch

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

Buy.com repairs customer-data glitch RETAIL: A loophole revealed that names, addresses and phone numbers were disclosed. 'E-return' was closed for checking.

October 14, 2000

By DIANA McCABE The Orange County Register

ALISO VIEJO -- Internet retailer Buy.com said Friday that it fixed a loophole in its electronic product-return system that revealed customers' names, addresses and phone numbers to other customers.

However, its "e-return" service remained closed Friday while the Aliso Viejo company double-checked the system with partner United Parcel Service.

Buy.com learned of the glitch Thursday afternoon after an inquiry from Wired News.

Under Buy.com's new electronic return system, a customer wanting to send back merchandise makes the request on the company's Web site. Buy.com then sends the customer an email with an Internet address to print their UPS label for the return.

By manipulating the Internet address, a customer could see other customers' shipping labels and in some cases phone numbers. However, no credit card information was accessed, said Tom Wright, Buy.com's vice president of operations.

"We worked very quickly," Wright said. "Obviously, Internet security and privacy is a very sensitive issue."

Buy.com's e-return system has been in place for about six weeks. The company said it was unaware of the loophole until Thursday. Less than 30 percent of its returns are processed this way, Wright said. However, the system is important to e-retailers because it makes it easier for consumers to return goods.

Wright said in order to see other customers' shipping labels a person would have had to request a product return (and only previous customers can request returns) and manipulate the Internet address.

Exactly how many customers were involved is unknown, Buy.com said. "But we know it was a small number because we haven't issued many returns," on the system, said Wright.

"It sounds like the information accessed was what you'd find in the phonebook," said Jodi Beebe, hot line director at San Diego-based Privacy Rights Clearinghouse.

Still, she didn't completely dismiss the incident. "When you give out information on the Internet you're always going to be faced with the potential that the information will fall into the wrong hands."

Buy.com, which sells consumer electronics, music, sports equipment and other goods, plans to have the e-return system up for customers over the weekend, Wright said.

http://www.ocregister.com/business/buy0101401cci5.shtml

-- Doris (reaper@pacifier.com), October 15, 2000


Moderation questions? read the FAQ