Log in

No account? Create an account
23 April 2011 @ 08:37 pm
The privacy of Rewards members email addresses?  

Did you know that the brierley website discloses the details of Borders Rewards members on a totally public/non-secured website?
Check this link and look up your account. Or even look up other accounts or if you want, change any account that you might find.


Yes you can see them, all of them and change them if you want.

Many months ago when I was still an employee, I pointed out this security flaw to my manager, district manger, customer support and Open Mike. Although it appeared to me as a major privacy breach, there was a resounding silence.

Borders privacy policy states:

Borders, Inc., Borders Direct, LLC and Walden Book Company, Inc., are subsidiaries of Borders Group, Inc. Borders, Inc., Borders Direct, LLC, Walden Book Company, Inc., and their affiliated companies (collectively, "Borders", "We", or "Us") believe that your personal information—including your purchase history, phone number(s), email and residential addresses, and credit card data—belongs to you. We collect this type of information to serve you better when you provide it to us, but we do not rent or sell your information to third parties. From time to time, we may ask if you are interested in receiving information from third parties whose services or information we think would be of value to you. In those instances, we will only disclose your email address or other personal information to third parties if you expressly consent to such disclosure.

Disclosure Of Your Personal Information

Except as described in this Privacy Policy, personal information you provide to Borders through the Websites, the kiosks, the Borders Rewards or Borders Rewards Perks programs, or any of our email subscription or mobile content delivery programs, will not be shared outside of Borders and its service providers without your permission.

borderscustomer on April 24th, 2011 01:14 am (UTC)
So...if I had a list of emails or phone numbers, I could look for ones that borders bucks on account, change all the information except the accunt number, and go claim the borders bucks at my nearest borders store? Then I score some free books and return them for cash?

I just changed the phone number on my husband's Borders account.
oldbookseller on April 24th, 2011 01:16 am (UTC)
Now if you can only figure out how to load my account with about $150,000 in Borders Bucks we will really have something sweet...

That's ok...we got cookies !!! WOOHOO !!!

booktramp on April 24th, 2011 02:06 am (UTC)
new new low
I am stunned. Shocked. This is bad. Very, very bad.
oldbookseller on April 24th, 2011 02:53 am (UTC)
After witnessing how great BS2 works...why would you think the IT department would get this right either ?

Here's something to consider if you are in a going forward store...since there aren't as many stores in your area as there used to be...what do you want to bet that your special orders are going to go way up (especially the phone call specials) ? Or they would if BS2 wasn't a basket case of problems.

I bet this hasn't even crossed the minds of higher ups yet.
ron_newman on July 30th, 2011 01:52 am (UTC)
Shouldn't http://bordersacctweb.brierley.com/waldenpos.aspx have been removed by now? It's still there. You can't modify anyone's account anymore but you can still look them up from an e-mail address, a phone number (last 7 digits only), or a Borders Rewards card number.

ETA, August 2, 11:50 am: It's gone again now.

Edited at 2011-08-02 03:59 pm (UTC)
smackh20jack on April 24th, 2011 06:02 am (UTC)
Un Effin Believable!
Thanks for finding this lovely security flaw. I don't think IT had anything to do with this. The data is managed by Brierly+Partners. What is unconscionable is the fact that nothing was done about this after the OP reported it.

So now that the email list is wide open, and posted on LJ, let's see how long it takes before AA/Brierly does something about it.
poets1 on April 24th, 2011 04:24 pm (UTC)
Re: Un Effin Believable!
Wow! So typical of Borders to let this happen and then to competely ignore the problem when it was pointed out to them. Should we make this known to the outside world? Or maybe it already is.
poets1 on April 24th, 2011 04:34 pm (UTC)
I went to the website itself-How did you access that information? How did you get the borders reward screen to come up? I can do it from the link you provided, but can't seem to bring it up when i google the website.
underperformer on April 24th, 2011 09:36 pm (UTC)
They actually gave us the link
When they set up the e-learning training site last summer, they encouraged us to enroll our rewards account to become plus members and provided the link via the training site. That training site was accessible from any browser and but was at least password secured. The brierley link was not. My first stop up the chain of information was to let the site admin for the training site know about the breach. I then did the store manager/DM/Open Mike/customer care route.
Now that I am an ex-employee, I felt that it was now my civic duty to advertise the leak. If it does get plugged it will be most ironic that posting on livejournal was more effective than going up the appropriate chain of command as an employee.
To me it has the makings of a class action breach of privacy lawsuit.
Hackers who are looking for private info don't need to rely on google searches to find security leaks.
fridrikr on April 24th, 2011 05:36 pm (UTC)
lying, hypocritical bastages!
Leave it to Borders... for five + years, I sold people on Borders Rewards by telling them that their e-mail was secure, that Borders would never release it, etc.

And now, this.........

Of course, it figures that nobody in AA would fix this, or demand that Brierley fix it. Why not? THAT would cost too much. So, the customers' privacy be damned.

poets1 on April 25th, 2011 07:08 pm (UTC)
The link doesn't work anymore. Did they finally do something about it?
underperformer on April 26th, 2011 12:09 am (UTC)
Ironic that posting on LiveJournal finally got Ann Arbor to act
Last August I tried every official Borders method of contact to let the powers that be know about the leak and got no action on the problem.
Post on LiveJournal and the public link is finally removed. What does that say about the state of the company.
Maybe some of the creditors would like to post here as well if they want to make their voice heard by Borders management!
(Anonymous) on April 26th, 2011 02:40 am (UTC)
It was even on Bookmark today! Funny what it takes to get their attention.
(Anonymous) on April 26th, 2011 04:05 am (UTC)
Finally, an acknowledgement
Well, your attempt to go up the corporate ladder to get something done about this didn't work, but your posting on LJ apparently got their attention.

There's an item on Bookmark about it today -- Monday -- and corporate says it's working with the provider to ``resolve the problem.'' It'll be interesting to see how long that takes.
(Anonymous) on April 26th, 2011 08:45 am (UTC)
Borders is in the process of trying to convince their creditors that they can operate an online company; their plans project a 60-40 split in B&M-Online sales. Their progess in enrolling Borders+ members in spite of bankruptcy proceedings is a prominant part of their message these days (and deserving of cookies!)

To have it revealed that all this time they couldn't be bothered to keep customer information protected, in spite of assurances made to customers, and that front-line minimum-wage employees were trying to bring it to somebody's attention and being blown off, would be very damaging.

(Anonymous) on April 26th, 2011 04:21 pm (UTC)
Thank you for posting this information...
Detroit Media now picking up story further.
Ole Mary now admitting some breach occurred.
Ya think!?
dumperofu on April 27th, 2011 04:07 pm (UTC)
Borders is once again goofy
Borders is always a day late AND a dollar short. Once again Borders shows us how embarrassing they really are. Someone wrote on here how it probably isn't IT's fault but come on-they DON'T got no IT department. They mostly got the boot.

I think it would be nice if the media picked up how, we the employee's were forced to sell those Borders Reward Cards, and were threatened with cut hours (they KNEW they were going to file Chapter 7 cough cough I mean Chapter 11)

Borders is the gross goo that you see on the highway after an animal gets hit by a car.

savgpncl on April 27th, 2011 04:12 pm (UTC)
Privacy Issues
I see they removed the function on Bookmark where employees could add or update customer information. Also put this website behind the software firewall -- I guess so employees can't submit/read posts while they are at work. Everything this company does seems to be AFTER the fact!
ron_newman on July 30th, 2011 01:22 am (UTC)
Looks like this public site still exists, over three months later? Enter "1234567" as the phone number and you get back a whole bunch of names and e-mail addresses.

ETA, August 2, 11:50 am: It's gone again now.

Edited at 2011-08-02 03:59 pm (UTC)