A two-page printed invoice arrived with the first set of packages; and months later a virtually identical invoice was sent with the package I received on the 13th of June. The invoice is in essence a web page; and it has its own URL printed across the bottom of its pages.
The invoices cannot be reproduced in full here; they contain my client's personal information and her credit card number. But here below is an image of the second page of the invoice I received on the 13th of June, which shows just how clearly the URL was displayed:
Page 2 of the invoice from the 10th of January is closely similar.
Changing the order number in the URL would produce the full record of any order in their entire database if the order number was valid.
I found the order numbers were sequential with no gaps. I entered a number of values to find the limits of the valid record numbers. I found that any number I entered ranging from 1301 to 16453 produced a record like this one (yes, it's the real thing, but it's a dummy record containing no valid data).
The available records, more than 15,000 of them, covered the span of dates from 21 July 2000 to the present, which was at that time approximately 2:40 PM, Saturday, the 16th of June 2001.