​Misconfigured ElasticSearch database belonging to Tommy Hilfiger exposed customers personal information

• The data stored in the leaky database includes customers’ personal information such as names, addresses, phone numbers, email addresses, and dates of birth.
• The database also contained customers’ transaction information such as membership ID numbers, orders made, dates of purchase, product descriptions, prices, SKUs and details on millions of orders.

What is the issue?

Two security researchers from Safety Detective, Noam Rotem, and Ran Locar uncovered a misconfigured ElasticSearch database belonging to Tommy Hilfiger Japan that exposed the personal information of hundreds of thousands of customers.

The researchers describe this security issue as a ‘minimal manipulation’ that could allow attackers to gain access to customer data.

What data was exposed?

• The data stored in the leaky database includes customers’ personal information such as names, addresses, phone numbers, email addresses, and dates of birth.
• The database also contained customers’ transaction information such as membership ID numbers, orders made, dates of purchase, product descriptions, prices, SKUs and details on millions of orders.
• However, no payment card details or financial information were included in the database.

What’s the conclusion?

Upon discovery, the researchers contacted Tommy Hilfiger to notify them about the unprotected database.

“We take this allegation seriously,” a spokesperson for Tommy Hilfiger said.

Tommy Hilfiger’s representatives escalated the issue to its parent company PVH Corp. A representative for PVH Corp revealed that the issue stemmed from a third-party operator that manages the Tommy Hilfiger Japan website.

Upon learning the incident, the company immediately worked to address the issue and quickly resolved the issue.

However, the bad actors could use the exposed information to contact the customers impersonating Tommy Hilfiger representatives and could ask for financial information. Therefore, customers are requested to be cautious and make sure they do not provide any information via email or phone call.