A security lapse at Express briefly exposed sensitive customer information online, raising fresh concerns about data protection practices in the retail sector.
The incident, first identified by TechCrunch, revealed that order confirmation pages from Express’ website were accessible through public search engine results. The flaw allowed unauthorized users to view personal and purchase details tied to individual orders. Exposed information included customer names, email addresses, phone numbers, and shipping and billing addresses, along with order contents and partial payment card details such as card type and the last four digits.
The vulnerability came to light after security and privacy advocate Rey Bango investigated a suspicious transaction on a relative’s account. While attempting to verify the legitimacy of an order number, Bango discovered that unrelated customer data could be accessed through similar links. “When I tried to look up if the order number was a legitimately formatted Express order number using Google, I saw a link to another order and someone else’s order information came up!” Bango told the outlet.
Further verification confirmed that the retailer’s order numbers followed a largely sequential pattern, making it possible to access additional records by modifying web addresses. After being notified, Express addressed the issue and secured the affected pages.
In a statement, Express marketing executive Joe Berean said: “We take the security and privacy of customer information seriously and encourage anyone who identifies a potential security concern to contact us directly.” He added, “Upon becoming aware of this issue, we investigated and continue to review the matter and have no further comment at this time.”
The company did not confirm whether affected customers would be notified or whether regulatory disclosures would follow, leaving open questions about the broader impact of the exposure.
