Online merchant emails customer credit card details
Bone-headed security breach
Dabs.com has booted merchants BuyB4Sold.com off its Dabsxchange auction site after the latter committed a serious security breach involving its customers' credit card details.
On 7 September BuyB4Sold.com distributed an email to their customers, who had purchased products from a virtual auction hosted by Dabs, with an Excel attachment containing credit card details of other customers.
A Register reader informed us that the offending email contained names, addresses, telephone numbers, credit card numbers and credit card expiry dates of customers.
The 127 people affected by breach, which was the result of human error, have been advised to contact their credit card companies to get cards cancelled.
Dave Atherton, managing director of Dabs.com, described the actions of BuyB4Sold.com as "sloppy" and although the breach had nothing to do with the security of its auction site it decided it appropriate to sever links with the firm.
BuyB4Sold.com sells software and games in a similar manner to book clubs making its money from postage and packing charges on software that is sometimes listed as being "free". It is a marketing program run by retail Web site Onehighstreet.com.
In February, we reported that Onehighstreet.com left customer details in plain view on an insecure Web server, now its security has been called into question again.
Carl Laidler, concept development direct at Onehighstreet.com, said the security breach was a result of human error. A member of the firm's customer service team emailed a customer spreadsheet out without reference to any accepted procedures.
That person is the subject of disciplinary proceedings.
To restore confidence, Onehighstreet.com has withdrawn its online sales activities for between seven and 14 days during which time it is bringing in an external consultant to conduct a security audit. ®
Sponsored: Customer Identity and Access Management