Vistaprint left a customer service database unprotected, exposing calls, chats and emails

A security researcher has found an exposed database on the internet belonging to online printing giant Vistaprint.

Security researcher Oliver Hough discovered the unencrypted database last week. There was no password on the database, allowing anyone to access the data inside. The database was first detected by exposed device and database search engine Shodan on November 5, but it may have been exposed for longer.

Hough tweeted to warn the company of the security lapse, but has not heard back.

Vistaprint, owned by Netherlands-based parent Cimpress, quietly took the database offline after TechCrunch reached out but did not comment by our deadline. Robert Crosland, a spokesperson for Vistaprint, said in a statement after we published that the exposure affected customers in the U.S., the U.K. and Ireland.

“This is unacceptable and should not have happened under any circumstances,” the company said. “We’re currently carrying out a full investigation to understand what happened and how to prevent any future recurrence. At this time, we do not know whether this data has been accessed beyond the security researcher who found it,” the spokesperson said.

The company said it will inform customers of the exposure — many of whom are protected under the strict GDPR data protection rules.

The database contained five tables stored with data on more than 51,000 customer service interactions, such as calls to customer service or chats with an online support agent. The data also included personally identifiable information, including names and contact information, which could identify individual customers.

One table named “cases” contained incoming customer queries, including the customer’s name, email address, phone number, and the date and time of their interaction with customer service. Many of those customer service interactions were as recent as mid-September.

The data also contained information hidden from the customer. Each customer service interaction in the “cases” table appeared to have graded the customer’s query based off keywords picked from their query. That helped to determine the customer’s “sentiment”, which then described their complaint as either “negative” or “neutral”. The data also included the “priority” of a customer’s interaction, allowing it to be pushed higher in the queue.

Another table named “chat” contained thousands of customers’ line-by-line online chat interactions with support agents, but also contained information about the customer’s browser and network connection, where they were located, and what operating system they used, and their internet provider.

Some of the recorded chat logs also contained sensitive information like order numbers and postal tracking numbers, but there were no passwords or financial data in the exposed database.

The “emails” table contained entire email threads with customers detailing problems or other issues with their orders. And, the “phone” table contained specific information about each call, including the date and time, how long the customer was kept on hold, a written transcript of the call — often including details of the customer’s orders — and an internal link (which we could not access) to the recording of the call.

The data also contained some account information, including work email addresses and some phone numbers belonging to Vistaprint customer service staff.

According to Hough, the database was not currently sending or receiving data. The database was named “migration,” suggesting the database was used to temporarily store data while it was moved customer records from one server to another.

But it’s not clear why the database was exposed and left online without a password.

It’s the latest example of a security lapse involving lax internal data controls. This year alone, several data exposures have put millions of customers at risk, including online game ‘Magic: The Gathering”, a popular online ‘camgirl’ site, as well as job searching site and IT giant Tech Data.

Updated with a statement from Vistaprint.

Related stories: