Tech Industry

Glitch reveals Buy.com customer information

The online store says it has repaired an automated product return mechanism that exposed customers' names, phone numbers and addressees over the Internet.

Online store Buy.com said Thursday it has repaired an automated product return mechanism that exposed customers' names, phone numbers and addressees over the Internet.

"We resolved it as quickly as we could," said Buy.com vice president of operations Tom Wright. "We clearly understand that it's probably sensitive information to our customers."

The problem came through a merchandise return system jointly run by Buy.com and United Parcel Service. Filling out an electronic form generates a Web page with a return shipping label that a customer can print. By modifying a number in the Web address, a person can sift through a large database of mailing labels.

Harvard student Ben Edelman said he discovered the Buy.com breach Thursday when returning some merchandise. An email from the Buy.com system contained the Web address, and it was a simple matter to change it and discover other customer accounts, he said. "This doesn't look very secure," he said upon reading the email.

CNET News.com verified the breach.

The issue is similar to a series of problems that have plagued e-commerce Web sites. Eve.com took its site down when a breach allowed people to view customer orders, the types of credit card used and other information.

Netmarket, Amazon.com and IKEA also have suffered similar problems.

The Buy.com security breach happened on servers maintained by UPS, Wright said. UPS and Buy.com worked together to correct the situation, he said.

Edelman notified Buy.com of the problem Thursday afternoon. The company said it fixed the problem later in the afternoon such that customers could see shipping labels only after providing their own electronic account numbers.

Customer information still was visible at 6:40 p.m. PT after Buy.com said it had been fixed, but Travis Fagan, vice president of customer support, said it takes some time for the repair to spread across the Buy.com system.

The information was "useless," said Wright, characterizing it as no different from what a person could see looking at a box of outgoing mail in the office.

But there are some differences from what a person could find in an ordinary mailbox.

For one thing, the information revealed who exactly purchased from Buy.com, which sells computer hardware and software, consumer electronics, sports equipment, music and other products. In addition, the information was available online, making it possible to create a program that would collect the information automatically.