A Walmart Canada customer discovered a data leak on its website that exposed “highly sensitive” information, said CTV News. The information involved names, billing addresses, orders, order dates, payment methods, and the last four digits of credit cards.
Customer Sanjay Bathia, who works in information technology, was monitoring his order for return when he encountered the security flaw in the website’s ordering and tracking tool.
According to Bhatia, “(It’s) a huge exploit. An I’m just flabbergasted. I’m actually pissed off because, you know, my stuff was on there too.” Bhatia, who informed CTV News, noted that he attempted to get in touch with Walmart Canada.
The customer added, “Nobody really wants their stuff to be out there like that.” He also implied that a company like Walmart is expected to have a better security system.
Explaining how he accessed other customers’ information by logging into his own account then searching for order numbers. CTV News was able to replicate the process and applied it on Amazon.ca. Walmart Canada showed customer info, but Amazon Canada did not.
Aside from the abovementioned information that was exposed by the website, it also showed chosen payment options such as Visa, Mastercard, Amex, or PayPal. Delivery options such as home or Walmart location also appeared.
In addition to this method, Bhatia discovered that he can access the information through another way using a related page. CTV News noted that this method has been disabled and addressed.
In an email, Walmart Canada spokesperson Adam Grachnik said, “We take customer privacy very seriously and have numerous security protocols in place to protect it.”
He added, “As soon as this came to our attention today, and out of an abundance of caution, we immediately disabled the webpage where guest customers could access their order tracking details. We are looking into the matter further.”
Cybersecurity analyst Yuan Stevens noted that this is a common security flaw while being a “highly sensitive example of data exposure.”
In fact, the policy lead on technology, cybersecurity, and democracy at the Ryerson Leadership Lab and the Cybersecure Policy Exchange said that this type of vulnerability was in the top 10 list of common risks in 2017.
Meanwhile, Walmart’s policy said that customers “may be eligible for monetary compensation” depending on the company’s decision. Payments can range from $100 to $15,000 based on the gravity of the situation.