Feeds

UK childcare voucher site offline after security snafu

Busy Bees stung by breach

Internet Security Threat Report 2014

A UK childcare voucher scheme has admitted that confidential customer data was briefly left exposed to other users during an upgrade last week, but denied suggestions that any sensitive information leaked as a result.

Busy Bees' childcare voucher site has been taken offline following an upgrade that went awry, according to a company spokeswoman, who said that confidential information might have been accessible on the members-only site for around 12 hours last Wednesday night and Thursday morning. She said data on the members-only site was not viewable on the internet at large, and maintained that security problems with the site arose solely as a result of last week's update.

Nick Gibbins, a Busy Bees user who discovered the breach and notified the firm, states he found email addresses of Busy Bees customers, National Insurance numbers, bank account details, payment logs and service logs on the site. In a blog posting, now restricted but still available through Google cache, Gibbins claimed that personal data for over one hundred thousand users was exposed by lax web security at Busy Bees.

He reports that the Busy Bees' childcare voucher system was run using Citrix Metaframe. A Java plug-in on the site was used to export the user interface of a Windows 2000 application. He reckons the security hole he discovered is the result of this fundamentally wobbly application architecture and had therefore probably existed for months.

"This is such a monumentally bad idea that I don't really have the words to explain it," he writes. "It fails on all counts: accessibility, availability, scalability and security. To make matters worse, the Windows application is exceptionally shoddy; the UI behaves inconsistently, there are issues with data integrity."

Busy Bees denies the admitted security problem is anything more than a temporary snafu. "The security bug was introduced as a result of an update," a spokeswoman for Busy Bees explained. "We've never had problems before," she added.

The firm plans to move the voucher scheme on a new secure site based on different technology, which it hopes will be ready later this week.

The UK's childcare voucher scheme provides a way for parents to get tax benefits for money spent on childcare. Funds are deducted from the salary of parents, who received credits in the form of childcare vouchers that can be used as payment at nurseries in return.

The scheme is managed by firms such as Busy Bees, which runs the scheme for organisations including Halfords, South Yorkshire Police, the University of Southampton and Thames Valley Police, according to email addresses seen by Griffin. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.