The personal information of tens of thousands of customers of Saks Fifth Avenue has been publicly available in plain text online, BuzzFeed News has learned.



The online shopping site for the brand is maintained by the digital division of its owner, the Canada-based Hudson's Bay Company. Until recently, unencrypted, publicly accessible web pages on the site contained tens of thousands of records for customers who signed up for wait lists to buy products.

The records included email addresses and product codes for the items customers expressed interest in buying; some also contained phone numbers. Each record also included a date and time, and one of a handful of recurring IP addresses.

The pages, which were reviewed by BuzzFeed News in recent days, were taken offline after HBC was contacted for comment on this story. The Saks website also serves logged in customers some pages over unencrypted connections, leaving online shoppers' information vulnerable to hackers while they browse the site on an open Wifi network.

"This is as bad as security gets," said Robert Graham, a cybersecurity expert and owner of Errata Security, to BuzzFeed News. “Everyone is vulnerable.”

"We take this matter seriously," a Hudson Bay Company spokesperson told BuzzFeed News. "We want to reassure our customers that no credit, payment, or password information was ever exposed. The security of our customers is of utmost priority and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller percent."