Want CNET to notify you of price drops and the latest stories?

IKEA exposes customer information on catalog site

The home furnishings retailer closes its online catalog order site after a privacy breach makes the personal information of tens of thousands of its customers available online.

2 min read
Home furnishings retailer IKEA closed its online catalog order site last night after a privacy breach made the personal information of tens of thousands of its customers available online.

The information had been exposed since at least Monday morning, when an IKEA customer uncovered an unprotected database file containing customer records. The file, which was accessible until yesterday evening, contained the names, addresses, phone numbers and email addresses of customers who ordered IKEA catalogs.

Dan Huddle, chief technology officer for New York-based Net publisher Xanga.com, said he discovered the privacy breach over the weekend, when he attempted to order a catalog. When he tried to submit his data, he got an error message, which then gave him the name of the database file, he said.

Huddle said he recognized the error message, having seen it before on other Web sites. By entering the database file in the Web address, or URL, he was able to access the entire database.

"This is especially concerning to me since I was about to put my own contact info in there," Huddle said. "What a spammer's dream!"

Rich D'Amico, new business development manager for IKEA North America, disputed Huddle's account of how he gained access to the database file, saying the file is normally protected, but became exposed after someone barraged IKEA's site with "thousands" of catalog requests on Sunday night.

"We normally have very high security," D'Amico said. "That's why we're so shocked. Whoever broke into it has a lot of knowledge of these things."

D'Amico said IKEA's catalog database is maintained by Epsilon, an online marketing company, but both companies said Epsilon was not involved in the error. IKEA asked a third company, which it would not name, to shut down the catalog Web site after the home furnishings retailer was notified of the problem by CNET News.com.

"We're going to leave the site down until we have the full report," he said. "This is not a normal situation, we know that."

The exposure at IKEA was a clear privacy violation, said Chris Christiansen, an analyst who studies online security issues at International Data Corp. Christiansen, who said he has seen similar gaffes before, said they are often found at complex Web sites where security is an "afterthought."

"It's disconcerting that that information, which the customer felt was for the sole use of IKEA, was exposed to basically anyone who came along," Christiansen said. "Obviously there should have been some kind of authentication or authorization on the file, or it should have sat behind a firewall."

The privacy breach is only the latest online fiasco for the Swedish furniture company. In March, IKEA shut down an email promotion that critics likened to spam.

During the past 18 months, Nissan, Butterball, De Beers and other companies have exposed the personal information of thousands of their customers.