800 Australians in Vistaprint data breach

By Wayne Robinson | 4 December 2019

Web-to-print giant Vistaprint has discovered around 800 of its Australian customers were on the online data breach first revealed in an Australia-exclusive by Print21 last week, and at the time thought to not include any local customers.

Responding to the Print21 story a Vistaprint spokesperson told us, “Initially we believed only customers from the US, UK and Ireland were affected, but as our investigation has progressed, we have also identified a very small number of affected customers in other markets.

“In Australia this number is less than 800 out of our 17 million customers worldwide.

“We have already contacted them directly to apologise and explain our suggested next steps, which includes advising them to change their passwords.”

*Available: Vistaprint customer data file online*

The details of the 800 Australians were on an unencrypted database containing 30,000 customer details that was found online by an internet security specialist from UK cyber security firm Cyjax, which discovered what it called a migration database.

Cyjax said it contained names, email addresses, phone numbers, and some chat transcripts involving customers. However, Vistaprint says it did not contain any financial information, the company saying, “We have verified that no credit or debit card information was contained within this database. We are continuing to check every relevant customer chat transcript to ensure that no additional financial data was discussed or included during these chats.”

The database in question was taken down by Vistaprint after it was contacted by a journalist. Apparently it was accessible thanks to a fairly common mistake. Reports indicate that the type of database – RethinkDB – is regularly misconfigured, allowing unauthorised access. Experts say implementing strict change controls will avoid these misconfigurations.

As print businesses develop a greater connection with data, the security of data has become a top-of-the-agenda item, particularly with web-to-print businesses and with the arrival of white label web-to-print websites that existing print businesses can implement.

Vistaprint said: “We can confirm that a Vistaprint internal research database containing some customer data became publicly available online. We have already taken the database offline and can confirm that it is no longer accessible. Following an investigation, we concluded that no one outside of Vistaprint accessed the data beyond the security researcher and journalist who found it.”

Vistaprint operates around the world, with its Asia Pacific base in Deer Park, Melbourne. It started as a college project 14 years ago by current president and CEO Robert Keane, and now has sales of US$1.5bn. It is the biggest part of the Cimpress Group, which has revenue of US$2.75m. It targets SMEs with an online offering, and operates highly automated print plants with top of the line equipment. Its Deer Park site has manroland offset presses and HP Indigo digital presses.