heads up if you ordered from Brownells in last couple days

[mainjet]

I bought a couple things from Brownells yesterday but then I decided to call up and cancel, so I did. Seems fine so far right?

Today I get an email conformation from them with a copy of my order. Problems is, it was also a copy of about 100 other customers orders which included their names, addresses and phone numbers along with their Brownells account numbers. There were no credit card numbers shown or anything but I am still not real comfortable with it so I canceled my account with them. It's not like I won't shop there anymore, I just don't want that floating out there. I'll start with a new accoutn if I want to buy from them in the future.

Just keep an eye out if you placed an order.

 

[WebSnyper]

I bought a couple things from Brownells yesterday but then I decided to call up and cancel, so I did. Seems fine so far right?

Today I get an email conformation from them with a copy of my order. Problems is, it was also a copy of about 100 other customers orders which included their names, addresses and phone numbers along with their Brownells account numbers. There were no credit card numbers shown or anything but I am still not real comfortable with it so I canceled my account with them. It's not like I won't shop there anymore, I just don't want that floating out there. I'll start with a new accoutn if I want to buy from them in the future.

Just keep an eye out if you placed an order.

Did you happen to report it to them. Would be good for them to know that they have released customers personal information, which is likely a breach of their privacy policies.

 

[Trigger Time]

Wow

 

[patience0830]

Brownells are good folks. I'm sure they will try and get things straightened out in an expeditious manner if you told them they had a problem.

 

[mainjet]

Did you happen to report it to them. Would be good for them to know that they have released customers personal information, which is likely a breach of their privacy policies.

Yes, I called them immediately and told them. They were aware of the problem and they were working on it.

They apologized and they were as helpful as they could be. I don't have anything against them and like I said, I would shop there in the future. But I just wasn't comfortable leaving my account intact with the information out there. So I cancelled the account for now.

 

[WebSnyper]

Yes, I called them immediately and told them. They were aware of the problem and they were working on it.

They apologized and they were as helpful as they could be. I don't have anything against them and like I said, I would shop there in the future. But I just wasn't comfortable leaving my account intact with the information out there. So I cancelled the account for now.

Cool, I order ammo from them fairly regularly lately, so appreciate the heads up for us and directly to Brownells.

 

[CCC]

A few years ago I placed an order with Brownells. A confirmation email I received did not reflect the price as advertised. I emailed them and the price was promptly corrected.

Have continued to order items from them since, no issues.

 

[XVP]

I had the same thing today with an order I placed with Brownells yesterday.

Kind of a big deal, if you ask me. Names, addresses, phone numbers PLUS a list of all the gun-related items that were purchased. About 40 or so orders were on my confirmation email.

 

[WebSnyper]

Brownell's posted this as a response to someone on Twitter in response to someone else asking about it

@BrownellsInc I ordered some items and I received 188 copies of your other customer orders & personal info in the shipping email confirmation! #securityconcern


Replying
Brownells has not suffered a “data breach” & has not been hacked by an ill-intended third party. However, a bug in Brownells’ own software program – following a recent update – has caused some confusion with a small group of customers. We've identified and fixed the issue.

7:05 AM - 28 Feb 2018​

​

That said, will be kind of interesting if there is any ramification from likely violating their own privacy policy.... guessing not in the wake of Equifax, etc, but still a release of privacy info that should not have occurred.

 

[mainjet]

It sounds like a self inflicted data breach but a data breach nonetheless. I guess I would like to see them act a bit more concerned about their customers info being sent out.

 

[bwframe]

Yikes, I feel bad for the folks involved. My order wasn't one you seen was it? (3 this month.)



In other news, I smell a big Brownells promo/discount/sale in the next few weeks.

 

[jfw46544]

I placed an order with them on line last night. No problems on the confirmation email.

 

[WebSnyper]

It sounds like a self inflicted data breach but a data breach nonetheless. I guess I would like to see them act a bit more concerned about their customers info being sent out.

Agreed, it is to be taken seriously. I thought their Twitter response was a bit weak as well. Not sure if they have responded any more, etc.

 

[BE Mike]

Not good, but if the information only got out to Brownells customers, I would think that the risk is very low. Brownells is a well-established and well-run company. They have very knowledgeable associates. I'm sure that they already have a handle on this.

 

[Trigger Time]

If you received my name and info and what I ordered the only thing I ask of you is not to tell my wife how much it cost

 

[WebSnyper]

Not good, but if the information only got out to Brownells customers, I would think that the risk is very low. Brownells is a well-established and well-run company. They have very knowledgeable associates. I'm sure that they already have a handle on this.

Trick is they cannot control it once it is out there. Also, even though it is very much in their favor, I'm pretty sure it violates their privacy policy: https://www.brownells.com/aspx/general/privacy_policy.aspx as I'm pretty sure they did not disclose they would sent it to other customers when the information was provided (see bolded section below).

I'm not overly worried about it, but Brownells should really notify folks about this, especially if they know particular customers were affected. That said, since Equifax didn't even get much of a slap on the wrist (even though they deserve to be under full consent decree and have to remediate just to stay in business IMO, and I don't say that lightly given my disdain for govt involvement in the market, but in this case those affected cannot really hold Equifax responsible), I'm sure no one cares about this information disclosure compromise.



11. Disclosure of Your Information. We may disclose aggregated information about our users, and information that does not identify any individual, without restriction. We may disclose Personal Information that we collect or you provide as described in this privacy policy:
a. to our subsidiaries and affiliates;
b. to contractors, service providers and other third parties we use to support our business and who are bound by contractual obligations to keep Personal Information confidential;
c. to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of Brownells' assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which Personal Information held by Brownells about our Websites’ users is among the assets transferred;

1. 1. to fulfill the purpose for which you provide it;
   2. for any other purpose disclosed by us when you provide the information;
      
   3. with your consent;
   4. to comply with any court order, law or legal process, including to respond to any government or regulatory request;
   5. to enforce or apply our Terms of Use and other agreements, including for billing and collection purposes; and/or
   6. if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Brownells, our customers or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction;

I contacted them via chat, and CSR Hyrum took my questions. He seemed very nonchalant. I'll be filling out the survey as well.

• Websnyper: Hello, I have placed some recent orders and have recently read where Brownells customer information was sent to other customers who placed orders in what appears to have been an unintentional release of privacy information regarding orders, and have concerns.
• System: Thank you for holding. Your chat will be answered by the next available agent.
• Hyrum: Hello, Welcome to Brownells, Inc. I will be glad to assist you with your question. One moment.
• Websnyper: Thank you Hyrum
• Hyrum: Yes Websnyper how can I help?
• Websnyper: Hello, I have placed some recent orders and have recently read where Brownells customer information was sent to other customers who placed orders in what appears to have been an unintentional release of privacy information regarding orders, and have concerns.
• Websnyper: concerned that my information may have been released
• Websnyper: in violation of Brownells Privacy policy
• Hyrum: Ok Websnyper, we did experience was not a data breach, but a technical issue.
• Websnyper: I understand but it is still in violation of the privacy policy
• Websnyper: can you advise if any of my info was released
• Websnyper: doesn't matter if you were compromised externally or it was a system issue, it is still a release of privacy information
• Hyrum: Customers impacted have been contacted.
• Websnyper: ok, were they sent an email or postal mail? Just trying to make sure I know what to look for
• Websnyper: if I was impacted
• Hyrum: It would be email.
• Websnyper: ok, thank you for that information
• Hyrum: Any other questions?
• Websnyper: No, that's it. Thank you
• Hyrum: Thank you for contacting Brownells Chat Team. Your feedback is important to us. Please rate your experience by following the link about to a survey.
• System: Survey link redacted
• System: Survey link redacted
• System: Your chat has ended.

 

[BE Mike]

Trick is they cannot control it once it is out there. Also, even though it is very much in their favor, I'm pretty sure it violates their privacy policy: https://www.brownells.com/aspx/general/privacy_policy.aspx as I'm pretty sure they did not disclose they would sent it to other customers when the information was provided (see bolded section below).

I'm not overly worried about it, but Brownells should really notify folks about this, especially if they know particular customers were affected. That said, since Equifax didn't even get much of a slap on the wrist (even though they deserve to be under full consent decree and have to remediate just to stay in business IMO, and I don't say that lightly given my disdain for govt involvement in the market, but in this case those affected cannot really hold Equifax responsible), I'm sure no one cares about this information disclosure compromise.



11. Disclosure of Your Information. We may disclose aggregated information about our users, and information that does not identify any individual, without restriction. We may disclose Personal Information that we collect or you provide as described in this privacy policy:
a. to our subsidiaries and affiliates;
b. to contractors, service providers and other third parties we use to support our business and who are bound by contractual obligations to keep Personal Information confidential;
c. to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of Brownells' assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which Personal Information held by Brownells about our Websites’ users is among the assets transferred;

1. 1. to fulfill the purpose for which you provide it;
   2. for any other purpose disclosed by us when you provide the information;
      
   3. with your consent;
   4. to comply with any court order, law or legal process, including to respond to any government or regulatory request;
   5. to enforce or apply our Terms of Use and other agreements, including for billing and collection purposes; and/or
   6. if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Brownells, our customers or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction;

I contacted them via chat, and CSR Hyrum took my questions. He seemed very nonchalant. I'll be filling out the survey as well.

• Websnyper: Hello, I have placed some recent orders and have recently read where Brownells customer information was sent to other customers who placed orders in what appears to have been an unintentional release of privacy information regarding orders, and have concerns.
• System: Thank you for holding. Your chat will be answered by the next available agent.
• Hyrum: Hello, Welcome to Brownells, Inc. I will be glad to assist you with your question. One moment.
• Websnyper: Thank you Hyrum
• Hyrum: Yes Dustin how can I help?
• Websnyper: Hello, I have placed some recent orders and have recently read where Brownells customer information was sent to other customers who placed orders in what appears to have been an unintentional release of privacy information regarding orders, and have concerns.
• Websnyper: concerned that my information may have been released
• Websnyper: in violation of Brownells Privacy policy
• Hyrum: Ok Websnyper, we did experience was not a data breach, but a technical issue.
• Websnyper: I understand but it is still in violation of the privacy policy
• Websnyper: can you advise if any of my info was released
• Websnyper: doesn't matter if you were compromised externally or it was a system issue, it is still a release of privacy information
• Hyrum: Customers impacted have been contacted.
• Websnyper: ok, were they sent an email or postal mail? Just trying to make sure I know what to look for
• Websnyper: if I was impacted
• Hyrum: It would be email.
• Websnyper: ok, thank you for that information
• Hyrum: Any other questions?
• Websnyper: No, that's it. Thank you
• Hyrum: Thank you for contacting Brownells Chat Team. Your feedback is important to us. Please rate your experience by following the link about to a survey.
• System: Survey link redacted
• System: Survey link redacted
• System: Your chat has ended.

Wow! Do you think you possibly could be overreacting just a tad?

 

[bwframe]

Please tell me if there is a serious threat here?

Maybe I'm just odd, but anything I've ever typed onto a keyboard related to the Internet I do with the impression it might not be private.

 

[WebSnyper]

Wow! Do you think you possibly could be overreacting just a tad?

Dealing with IT all the time as well as certain regulated industries, makes you very aware of Privacy Information protection.

I was polite, and didn't pursue the CSR beyond getting some kind of answer about notifications. I don't think I over reacted at all. However, I do want them aware that it is a problem. Where exactly do you think I overreacted?

Are you okay with other info that has been released in similar ways fairly recently, such as lists of names of everyone that has an LTCH for example, and things like that?

Again, It's not like I demanded anything, or got rude with the CSR (at least don't think I did).

 

[WebSnyper]

Please tell me if there is a serious threat here?

Maybe I'm just odd, but anything I've ever typed onto a keyboard related to the Internet I do with the impression it might not be private.

Probably not overly serious, and yes, I agree things I post online, etc are not private. However, retailers do need to take this stuff seriously. It is all to common for retailers not to take this kind of stuff seriously.