Tuft & Needle exposed thousands of customer shipping labels




 

Mattress and bedding giant Tuft & Needle left hundreds of thousands of FedEx shipping labels containing customer names, addresses, and phone numbers on an unprotected cloud server.

More than 236,400 shipping labels were found on an Amazon Web Services (AWS) storage bucket without a password, allowing anyone who knew the easy-to-guess web address access to the customer data. Often, these AWS storage buckets are misconfigured by the owner by being set to "public" and not "private."

The exposed labels were created between 2014 and 2017 during the company's early years. Tuft & Needle was founded in 2012 in Arizona. But some labels were printed as recently as 2018.

It's not known for how long the storage bucket was left open.

Two customer shipping labels of the hundreds of thousands exposed. We have redacted the shipping labels to protect the customers' privacy. (Screenshot: TechCrunch)

U.K.-based penetration testing company Fidus Information Security found the exposed data. TechCrunch verified the data by matching names and addresses against public records.

We contacted Tuft & Needle about the data exposure on Monday. The storage bucket was quickly shut down.

"We've secured any potential exposure and are investigating the matter further," said spokesperson Brooke Figlo in an email.

Tuft & Needle said it would "comply" with any applicable state data breach notification laws, but did not explicitly say if the company would inform customers of the security lapse.


COMMENTS

More Related News

AWS is sick of waiting for your company to move to the cloud
AWS is sick of waiting for your company to move to the cloud

AWS held its annual re:Invent customer conference last week in Las Vegas. For starters, AWS CEO Andy Jassy made it clear he's tired of the slow pace of change inside the enterprise. In Jassy's view, the time for incremental change is over, and it's time to start moving to the cloud faster.

Amazon lawsuit blames Trump for loss of Pentagon cloud contract
Amazon lawsuit blames Trump for loss of Pentagon cloud contract

Amazon.com Inc on Monday accused U.S. President Donald Trump of exerting "improper pressure" and bias that led the Department of Defense to award a lucrative $10 billion cloud contract to rival Microsoft Corp . In a complaint filed in the U.S. Court of Federal Claims, Amazon said Trump launched

Leave a Comment

Your email address will not be published. Required fields are marked with *

Cancel reply

Comments

Top News: Economy