Express Fashion Retailer Exposes Customer Data via Website Security Flaw

Express, a fashion retailer owned by WHP Global, patched a security flaw on its website that exposed customer order details and personal information to the public internet. The incident came to light after security advocate Rey Bango discovered customer orders indexed in Google search results while investigating a fraudulent transaction.

The vulnerability allowed unauthenticated access to order confirmation pages, which remained accessible until TechCrunch alerted the company.

The exposure was caused because of an Insecure Direct Object Reference (IDOR) flaw within the order tracking and confirmation module of the Express web platform. Because the site used sequential order numbers in its URL structure, an attacker could use automated web tools to cycle through numbers and scrape thousands of records. This lack of proper authorization checks meant that knowing or guessing a valid order number was the only requirement to view sensitive transaction data.

The compromised data includes:

• Full customer names
• Phone numbers and email addresses
• Postal, billing, and delivery addresses
• Order details and purchase history
• Partial payment card information (card type and last four digits)

The number of affected individuals is not disclosed. At least a dozen orders were publicly indexed by search engines before the fix. The company has not provided an estimate for damages or the total volume of data accessed by third parties.

Express fixed the vulnerability following notification from TechCrunch, as the discoverer found no official channel to report the bug. The company’s head of marketing, Joe Berean, stated that they are reviewing the matter but declined to confirm if they have the access logs needed to find the extent of unauthorized access. As of the reporting date, Express has not committed to notifying affected customers or state attorneys general, nor have they set up a formal vulnerability disclosure program.