Feeds

Security meltdown at Hotel Chocolat

Website displays personal details

The Essential Guide to IT Transformation

Contrary to popular belief, it seems that chocolate isn't always simply a pleasurable oral substitute for sex.

In fact, chocolate munchers are a rowdy bunch - a bloke in the midlands who is rather partial to a "Rocky Road Slab" is also "fantastic in bed", apparently...

How do we know this? One El Reg reader alerted us to the fact that online choccy provider Hotel Chocolat had been inadvertently displaying personal information on its website.

Names, addresses, and orders could be seen alongside intimate messages left for the intended recipient of chocolatey goodness.

Although the website was not displaying anything as private as credit card details, the fact that names and addresses were viewable is enough to violate data protection.

Hotel chocolat

As soon as she became aware of the privacy issue she emailed Hotel Chocolat and politely suggested it fixed what was clearly a security flaw.

However, it took several emails before the website responded, which meant personal details were displayed for at least a day - though likely for longer than this - before the issue was rectified.

The website has a privacy page that states the following:

"Security is a priority at Hotel Chocolat...You need to know that a website is legitimate, and transactions are secure before you buy. To address these issues, the Hotel Chocolat website uses a Digital Certificate from BT TrustWise."

Hotel Chocolat also uses Verisign, which should encrypt information before it is sent across the web to help secure the site from hackers/wrong-doers/people in dark bedrooms with nothing better to do, etc.

But for at least 24 hours the website offered dubious types the opportunity to print off personal information.

By mid-afternoon yesterday the website had finally been fixed, it seems, thanks largely to our reader's determination.

Meanwhile, Hotel Chocolat isn't talking to us despite several phonecalls. Seems they're, er, fully booked or something. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.