May 10, 1999 6:40 PM PDT
Netmarket exposes customer order data
A software engineer in Bellevue, Washington, last night discovered that he could view other customer orders after he bought speakers on Netmarket.
When checking the status of his order, the engineer, who asked to remain anonymous, noticed that his order number was incorporated into the URL. By replacing his order number with random numbers, he obtained access to pages revealing information about other customers. Information on those pages included names, addresses, and phone numbers, as well as details about the orders.
"It's kind of scary to me," the engineer said. "I'm glad no credit card numbers were there or else I'd be really freaked out."
A random check by CNET News.com found orders dating back to June 1998. As many as 983,000 orders may have been exposed.
Laurie Quinn, a spokesman for Cendant, which owns Netmarket, said the company was unaware that customer order information was open. Attributing the problem to "a bug in our system," Quinn said Netmarket fixed the problem immediately after being notified by CNET News.com.
"We do everything we can to insure customers' privacy," Quinn said.
Recently, similar security breaches were discovered on Yahoo and dozens of small e-commerce sites. Ken Allard, a site operations analyst at Jupiter Communications, said Net users should expect more security problems in the near future.
"I expect that this kind of activity will not be unheard of or even rare as companies continue to build expertise," Allard said.
But consumers may win in the end, according to Balderston. Companies that rush to establish their brand names online may find them tarnished if they don't address privacy concerns, he said.
"If you ignore it, people are going to say, 'They're sleazy,'" Balderston said. "It's emotionally a very charged issue and it's not going away."