Oliver Hough, a security researcher at London-headquartered cyber security firm Cyjax, discovered the ‘migration’ database, which contained unencrypted information relating to about 30,000 customers.
It included names, email addresses, phone numbers and some chat transcripts relating to customers from the UK, Ireland and the US.
Hough found the information on 5 November and attempted to contact Vistaprint about it, but did not get a response from the Cimpress-owned web-to-print giant.
Cyjax issued an internal alert to clients with a description of what had been found. The database was subsequently taken down by Vistaprint after the company was contacted by a journalist from TechCrunch.
In a statement, Vistaprint said: “We can confirm that a Vistaprint internal research database, containing some customer data became publicly available online. We have already taken the database offline and can confirm that it is no longer accessible. Following an investigation, we concluded that no one outside of Vistaprint accessed the data beyond the security researcher and journalist who found it.
“The database contained information relating to less than 30,000 customers out of our 17 million customers worldwide, including names, email addresses, phone numbers and some customer chat transcripts. We have verified that no credit or debit card information was contained within this database.We are continuing to check every relevant customer chat transcript to ensure that no additional financial data was discussed or included during these chats.”
Ian Amit, chief security officer at Cimpress, apologised for the error.
He said: “This is unacceptable; this should not have happened under any circumstances and we are extremely sorry. As a priority, we are now beginning to contact all affected customers to inform them of next steps.
“We are carrying out a full investigation to understand exactly what occurred and how to prevent anything like this happening in the future. If any of our customers have any questions on this matter, I encourage them to contact our customer care team via email at firstname.lastname@example.org. They will be able to help with individual concerns.”
Hough told Printweek that this sort of find was not uncommon.
“The type of database – RethinkDB – is fairly common to find misconfigured, allowing public access, the data inside varies vastly,” he explained.
“You should make sure you have strict change control in place to avoid basic misconfigurations like this.”
Hough said that Amit had also been in touch with him to apologise that his team had not been in contact sooner.
Vistaprint may need to report itself to the Information Commissioner’s Office (ICO) over the incident.
A Vistaprint spokesperson told Printweek: “I can confirm that we are in contact with the relevant data protection authorities in affected countries and will comply with regulations as required.”
Web-to-print behemoth Cimpress had sales of $2.75bn (£2.13bn) in its most recent financial year. Vistaprint, which targets its offering at SME businesses, is its biggest business unit with sales of more than $1.47bn.