I usually withhold information about a leaky site until it’s been secured, but when a company repeatedly fails to follow up and ignores notifications by phone and email, and when the company responsible for their site also ignores notification, it’s time to go public, I think.
More than one month ago, I was contacted by a consumer who was frustrated that Factory RV Surplus was exposing his information and that it had been indexed by Google. He called them and spoke to them, but nothing changed. He also contacted authorize.net, who also did nothing. In frustration, he turned to DataBreaches.net. This site attempted to contact the firm directly, but got no response. This site then contacted Digital Hill Media on July 25, as they are listed in the domain registration as the responsible Tech admin.
There was no response to that email notification which said, in part, that I had confirmed that over 7,000 customers’ information was leaking/exposed. In actuality, over 8,500 customers have data exposed and indexed by Google. The exposed data include billing and shipping names, postal and email addresses, telephone numbers, and partial credit card numbers.
Factory RV Surplus’s privacy policy – which the Federal Trade Commission holds businesses to – says:
“We do not share your personal information with anyone, for any reason.
We use secure sockets layer (SSL) protocol to create a uniquely encrypted channel for private communications over the public internet.
Encryption Level: 256-bit
Factory RV Surplus takes on-line security of our customers seriously, and will continue to upgrade our defenses as new technology becomes available.”
Since a customer claims he repeatedly contacted Factory RV Surplus to get them to address this problem, and it’s still not addressed, and they and their tech vendor ignored notifications from this site as well, the privacy policy does not seem to be for real.
So… if you’re thinking of ordering anything from Factory RV Surplus, think long and hard, because they have been, and are, exposing customer personal information and partial credit card information.
And because of Indiana’s data breach statute, they will not even be required to notify consumers of the leak if they ever get around to addressing it.
I spoke with the Indiana State Attorney General’s Office earlier today, and they’ve agreed to reach out to the business to see if they can get them to secure the consumer information. If not, maybe the Federal Trade Commission can?
Update August 26: clicking on the link to the exposed file now returns a 404. It shouldn’t have taken so much effort to get this addressed.
I hope your efforts are not rewarded with a threat of a lawsuit, or some such nonsense. Not everyone has heard of the .
Oh, if I get threatened with a lawsuit, I’ll be sure to publish it. Then you can go grab some popcorn.