Fashion Retail Giant Express Patches Website Vulnerability That Exposed Customer Personal and Order Data

Exclusive reporting from TechCrunch confirms that major fashion retailer Express has rolled out an emergency patch for its e-commerce website to resolve a critical security flaw that allowed any third party to access other customers’ private order details and personal identifiable information. At least a dozen Express customer orders were already indexed and publicly visible in major search engine results before the fix.

The unaddressed vulnerability left order confirmation pages on Express’ online store open to unauthenticated public access, revealing full purchase details and shopper identities to anyone who could access the page.

Exposed customer data included full names, phone numbers, email addresses, shipping, billing, and delivery postal addresses, line-item details of all purchased items, and partial payment card information including the card network and final four digits of the card number.

Express is a large-scale clothing retailer operating hundreds of brick-and-mortar locations across the United States, Mexico, and broader Latin America. Formerly a publicly traded company, it is currently owned and operated by WHP Global, a private firm that controls multiple leading fashion and retail brands.

Security and privacy advocate Rey Bango discovered the flaw by accident while investigating a fraudulent purchase on a family member’s Express account, but found no official channel to report the vulnerability to the company directly. Unable to flag the issue internally, Bango asked TechCrunch to alert Express to the bug to push for a fix.

“When I searched Google to confirm whether the fraudulent order number matched Express’ standard order number format, I pulled up a direct link to another shopper’s order, and their full personal information loaded immediately,” Bango told TechCrunch.

TechCrunch independently verified the vulnerability, confirming that users only need to modify the order number in an order confirmation page URL to pull up full order and personal data from other customers. Express uses mostly sequential order numbering, which makes it simple for bad actors to cycle through thousands of orders and harvest bulk customer data using basic automated tools.

After TechCrunch contacted Express to flag the issue, the apparel giant patched the flaw this Wednesday. The company has declined to share whether it plans to notify impacted customers of the security lapse.

When reached for comment, Joe Berean, Express’ head of marketing, told TechCrunch: “We take the security and privacy of customer information seriously and encourage anyone who identifies a potential security concern to contact us directly.”

“Upon becoming aware of this issue, we investigated and continue to review the matter and have no further comment at this time,” Berean added.

Berean refused to share official contact information for customers to report security issues, nor would he confirm whether Express plans to add dedicated infrastructure for vulnerability reporting, such as a formal vulnerability disclosure program or bug bounty. He also would not say whether the company has technical logging capabilities to confirm if any unauthorized third party already accessed customer data via the flaw. The executive did not respond to follow-up questions, including whether Express plans to disclose the incident to U.S. state attorneys general as required by state data breach notification laws.

Express’ accidental data exposure is the latest in a string of similar incidents in recent months, where customer information has been left publicly accessible due to simple misconfigurations or unaddressed security oversights.

In December 2023, a security researcher found that home improvement giant Home Depot had left its internal systems exposed to the public for a full year, and faced significant barriers when attempting to alert the company to the issue. That same month, veterinary and pet wellness giant Petco took its website offline after TechCrunch discovered that the company’s Vetco Clinics subdomain was leaking customer personal information and their pets’ confidential medical documents.