J.Crew Clothing Company is Selling Your Data

J.Crew is a clothing and accessory retailer with 300 stores in the United States. As it turns out, they are also big fans of selling private data of their customers to the highest bidder. I was recently contacted by a trusted source with evidence that there is a connection between purchases made on J.Crew and that same data showing up in an IRBsearch background check, with data provided by LexisNexis.

IRBsearch is a multifaceted investigative resource company based out of Tallahassee, FL that offers comprehensive background checks using data pulled from LexisNexis and other sources. Their website boasts about their data collection services, claiming "Finding someone has never been easier", using their "proprietary [data] linking strategies". IRBsearch provides background check capabilities to private companies for pre-employment and investigative purposes. LexisNexis is one of the largest data collection providers in the world, and provides that data to IRBsearch and countless other organizations and government entities.

My source is a user of the privacy protection tools Blur and Maskme. Blur/Maskme provides users a number of masking capabilities including creating temporary credit card numbers, E-mail addresses, and password management. Their browser add-ons make this a seamless process, allowing you to easily use a new identity for each website you register on. The E-mail address management functionality has the primary benefit of being able to track down spammers, since if you only ever register for one website with the E-mail xyz123@example.com, and you start getting spam to that address, you can bet it's the website that sold you out.

In this case, though, the service didn't just track down a shady company selling your data to spammers, it seems to have exposed an ongoing relationship between a multi-billion-dollar retailer and a multi-billion-dollar data collection corporation. In the United States, companies are not required to inform you when your private data is shared, and many companies like J.Crew would obviously prefer you not to know. J.Crew's privacy policy contains copious amounts of legalese to basically give them an all-access pass to the data you provide them, absolving them of any legal wrongdoing.

These screenshots, albeit heavily redacted to protect my source's privacy, demonstrate the clear link. First, a screenshot from the user's Blur control panel, showing the burner E-mail address:
1

Then, the receipt from their J.Crew order:

image1

Eventually, the data you gave to J.Crew shows up in a background check from LexisNexis/IRBsearch:

image2

The E-mail address is the smoking gun here, but it's certainly not the only data that was shared. In order for a data collection company to make this connection, it would need other identifying information to link the sources together. The shipping and billing address must have been provided to the data collection company in order to track down the user, but given that J.Crew doesn't disclose which information is sold to LexisNexis, it's safe to assume all information you provided to the company is shared. During the J.Crew registration process for example, the company allows you to enter your birthday. Your birthday is a key set of identifying information often used to corroborate databases like these, so it's likely that data would be provided as well.

Businesses selling customer data is far from a new practice. J.Crew is far from the first and will be far from the last business to engage in this type of data sharing. But just because it's not new does not make it any less sick: J.Crew are demonstrating to their users that they do not care about the privacy of their customers when it fattens their bottom line. Consumers should be wary of companies like J.Crew that abuse your personal data, and avoid businesses that do where possible.

I've reached out to J.Crew for a comment on their data sharing policies. I'll update this article with any response.