A company representative confirmed the breach Wednesday, calling it "temporary" and an unlucky outcome of routine development work on the Web site.
Mark Alway, a software developer from Seattle, discovered the breach Friday evening while shopping for CDs with a friend. He found that by eliminating part of the Columbia House Web address, which contains more than 100 characters at any given time, he could reach a directory of administrative tools normally unreachable to the average Web surfer.
This directory mapped out a treasure trove of links to personal customer data and sensitive Web files including company coupon codes, log files, and names and passwords to Columbia House's main Informix database, Alway said in an interview.
"It's almost negligent to have this type of error--it's something you're trained to solve in very basic Web training courses, not to leave directory indexing on. A large business shouldn't have such a simple mistake on their site," said Alway, who immediately sent an e-mail to technical contacts at the site Friday. He said he received a response Wednesday that the site had been fixed.
Columbia House spokeswoman Andrea Hirsch acknowledged that a small collection of the company's customer names and addresses were available through the files, but she said that without a customer's full credit card number--only the last four digits were available--that person's account remained safe.
"Unfortunately, the view screen got switched on to the site...(allowing) access to a number of directory files temporarily. But we fixed that immediately," Hirsch said. "Although the issue was an unfortunate one, we're sure that no sensitive commercial customer info was obtained during this minor breach."
She said the company was still looking into the vulnerability of sensitive Columbia House files.
Privacy specialists say this is an all-too-common occurrence.
"This is a classic case of poor security that leads to bad privacy," said Larry Poneman, newly appointed president of Guardent, a privacy and security solutions company. Poneman said he had heard of the vulnerability within his circle of business associates.
The breach at Columbia House is similar to many other technical glitches at online businesses. In January a security breach at Travelocity exposed the personal information of thousands of the online travel company's customers. A month earlier, a hacker broke into Egghead.com, potentially exposing its 3.7 million customer accounts.
In addition, security breaches or hacker attacks made vulnerable customer and client information at CreditCards.com, IKEA and Amazon.com last year.
Through the Columbia House breach, Always said he had access to personal data on 3,700 customers, which Kirsch would not confirm or deny.
"I don't think a lot of users want their personal information out there, and (Columbia House) certainly is not doing a good job of protecting it," Alway said.