Security researchers have found a misconfigured database that belongs to Tommy Hilfiger that exposed the personal data of hundreds of thousands of their customers. The problem comes from a misconfigured Elasticsearch database that researchers are calling a “minimal manipulation.” The leaky database could be used to access customer information to include, names, phone numbers, addresses, email addresses and dates of birth. This information was found in an unencrypted plain text format. It does not appear that credit card or financial information was included in this data. Other information that was included was membership ID numbers, dates of purchases and details on a large number of orders. The information that was available to attackers could be used to engage in a phishing-style scam by using the customer’s purchase history to create authentic-looking marketing emails that ask for more personal or financial data. Tommy Hilfiger was contacted and a spokesperson stated, “We take this allegation seriously.” Tommy Hilfiger is owned by PVH Corp, which is one of the largest fashion companies in the world and the parent company of other brands such as Calvin Klein, Izod, and others.
Analyst Notes
Users should be aware that phishing emails are one of the most prevalent style attacks that are being used. Clients should inspect any marketing emails from Tommy Hilfiger for legitimacy. If an email is received asking for login or financial information, the company should be contacted directly for authenticity.
