Oz DNA tester’s privacy shocker
Some people shouldn't be let near Web servers
In a facepalm, forehead-slap, hang-your-head-in-shame howler, South Australian DNA testing company Medvet has left its online customer accounts system open to being indexed by Google.
As reported by The Australian, the search engine’s crawlers have dutifully recorded customer invoices including addresses and, in some cases, names.
Medvet’s managing director is reportedly seeking information from the company’s software supplier, rather than staging a public hanging of whoever set up robots.txt on its Website.
Although the SA government-owned company is trying to take action, it seems at sixes and sevens about what to do, telling the Oz it would conduct a full “security vetting” of the system, but not mentioning whether or not it would get in touch with Google to ask whether the search results can be removed.
At the time of writing, The Register was able to confirm that the search results remained in the Google cache (below).
Redacted version of Google cache results for Medvet.
Even without names, the privacy breach is disturbingly creepy: "That's my address, but I didn't order a paternity test / drug test - who did and why?"
While no test results appear in the searches, the privacy breach is serious enough for Australia’s Privacy Commissioner Tim Pilgrim to launch an investigation.
According to The Australian, Medvet was first told of the privacy breach in April. ®
Two things in that article stood out to me
The first thing was: "Medvet’s managing director is reportedly seeking information from the company’s software supplier, rather than staging a public hanging of whoever set up robots.txt on its Website."
The person who set up the robots.txt file is in no way responsible. If your idea of security is relying on search engines to obey robots.txt I sure as hell don't want you working for me. Web design security 101 says that all sensitive information is to be held on a database and inserted into a web page only after suitable authentication of access privileges. Robots.txt is a guide for search engines, not an access blocker.
The second thing that jumped out at me was: "That's my address, but I didn't order a paternity test / drug test - who did and why?"
Can you spell "lawsuit?" Paternity testing is a particularly dangerous thing to associate with random addresses! You see, there's this problem: the vast majority of women will undergo thermonuclear fusion the moment their chosen man even dares to question the paternity of her unborn child. That the woman has biological assurance that the baby's hers while denying to the man any such assurance beyond her word is one of the great double standards of the feminist era.
On a biological level, a woman who falsely claims another man's baby as her husband's does the same thing, from a genetic point of view, as a man who rapes her. That is, by choosing her partner, a woman exercises her right to mate choice - whose genes to pass on to her offspring. A man who rapes her takes away that choice. By choosing his partner, a man exercises his right to mate choice - whose genes to pass on to his offspring. A woman who gets pregnant to another man and lies to her SO takes away that choice. So rape and paternity-deception are effectively the SAME THING. However, the punishment meted out is not the same - hence the double standard.
So now, to get around this discrepancy, companies like Medvet provide a "discreet paternity service". Such a test is often called a "peace-of-mind" test because it's not admissible in court (although it does give grounds for a court-approved test later on). The idea is that a man orders the test, uses the supplied swabs to take saliva samples from himself and the baby, sends them in, and gets a confidential reply saying yea or nay. Secrecy is of the utmost importance lest the woman get wind of the test and explode. There's no way any sane man would dare to question paternity openly to his wife/girlfriend, because the result is all too predictable. He just has to "trust her". Yeah, right.
So if this Medvet has leaked addresses (and wrong ones at that) there is a very real risk that a woman living at such an address might think that her husband has ordered a confidential paternity test (even if he hasn't; the site just mentions the address) and it could destroy their relationship. And I can see some pretty serious lawsuits arising out of that one.
Incidentally, a nice piece of poetic justice concerning a woman who tried to pass off another man's baby as her boyfriend's can be found at: http://www.craigslist.org/about/best/sea/274495936.html
No need for a name field in the DB
We're all called Bruce ;-)
Web design fail
It looks like their entire ordering system is indexed. Which, given that google only follows links, means that there's a link on their page to list all orders.
Also, the order numbers are sequential numbers, with no other validation like a login required... newbie web store error, meaning their entire system has been wide open for ages.
I really hope they didn't *pay* anyone to design that system, and the 12 year old they asked to do it gets a sharp talking to.