tarte is back in the headlines less than a week after landing in hot water over a racist meme post. This time, the makeup brand is the center of a “security breach” that exposed the personal information of over 1,000 customers. I took it upon myself to find out what happened and it’s a wild ride, so buckle up.
First, people who had recently ordered from the company woke up the morning of September 25 to find upwards of 60 emails from tarte. At first glance, it looks like an order confirmation that was accidentally sent over 50 times.
But looking closer, you can see that each email is addressed to someone new and holds different confirmation numbers:
Reddit user @hopelessmuse shared via Makeup Addiction, “When you clicked on the order status link in the e-mail, it took you to the Tarte website and gave you even more personal info: the last 4 digits of the credit card they used and their personal phone number.” Others also claimed to see home addresses, so I kept digging.
When @hopelessmuse finally reached out to tarte, she reported that the brand encouraged consumers to simply delete the emails in question: “they are aware of the situation and dealing with it. i asked how they were dealing with it and was told they are telling everyone simply to delete the e-mails. You have the identities and personal info of more than 50 people and you expect everyone to simply delete them from their inbox and be okay with that?” Hopelessmuse’s reddit post has since gotten over 5,000 upvotes, while Twitter has also exploded with questions for the company.
User @Kassbah tweeted tarte asking what was going on and later posted screenshots of the emails they sent to her, which explained that there was an issue with tarte’s “shipment notification tool” that caused an isolated event during the weekend:
But what exactly happened? What is a “shipment notification tool” and was sensitive information of real customers actually released? By now, Reddit, Facebook, and Twitter users have gone into panic mode with talk of canceling credit cards and filing law suits.
I took the time to read most of the comments before coming to a clear conclusion. Ultimately, this isn’t a serious mishap (like Equifax and their Social Security blunder) because the information in the emails isn’t personally identifiable information. This means what’s in the emails could be found online, on a receipt or in a phone book.
However, this could still cause potential damage if phishers use the basic information to con companies and online sites into releasing more information on the original person. To truly get to the bottom of things, I emailed the company for answers. Candace Craig Bulishak, tarte CMO, copied a statement from James Novara, tarte’s VP of e-commerce & IT, citing a software mishap that affected 1,400 orders:
“We take this situation seriously and, in addition to fully refunding the affected customers’ orders, we are sending some new holiday items to make up for any inconvenience this issue may have caused. We want to assure our customers that no information was disclosed that would expose them to a heightened risk of identity theft or similar harm,” wrote Novara.
Reddit user @mathandmascara also says tarte sent out an email today with the subject reading “mathandmascara, Important News About Your Account.” She thought it was going to be an apology or explanation for what happened, but instead, they told her to sign up for their new rewards program, which requires people to reset their passwords. To this @mathandmascara aptly replied, “Really Tarte? Making YOUR customer change their password disguised as a rewards program because YOU had a security breach? That’s just shady.”
In light of the recent Equifax hack, to see a company skirt an issue that doesn’t make anyone feel secure is a little alarming. Only time will tell if this glitch affects tarte’s future business.