Tosh UK rewards competition hopefuls by exposing their privates
ICO slaps wrist after URL twiddling leaked personal info
Toshiba Information Systems UK breached the Data Protection Act, the Information Commissioner's Office (ICO) has ruled.
The company published the personal details of 20 competition entrants on its website, which were compromised by a security gaffe, the watchdog growled.
"A security fault with the incremental numbering of the competition entrants registration URL created the potential for access to other customers' personal data for a two-month period," the regulator said.
The ICO was told about the privacy blunder in September. Names, addresses and dates of birth as well as contact information were exposed on the site after people registered for an online competition. The watchdog found that Toshiba had failed to put in place the correct measures to detect that a web design cock-up had been made by an unnamed third-party coder.
"It is vital that, as ever-increasing amounts of our personal information are collected online, companies have the necessary safeguards in place to keep this information secure," said ICO head of enforcement Stephen Eckersley.
"We are pleased that Toshiba Information Systems (UK) have committed to ensuring that any changes to applications on their website are thoroughly tested by both the developer and themselves, in order to keep the personal information they are collecting secure."
He warned: "We would urge other UK organisations with interactive websites to make sure they have suitable checks in place before collecting peoples’ details online."
Toshiba inked an undertaking [PDF] with the ICO to implement security measures to ensure that the personal data it handles are protected. ®
No fine. But then this isn't a public authority so no surprise there then.
We need an ICO that will actually PUNISH companies - not just government organisations.
I can image the conversation
Marketing bright spark 1: Let have a online competiton so we can collect a marketing database of perspective customer.
Marketing Bright spark 2: Yea, Great Idea, but won't we have to go through IT to get the website created.
Marketing bright spark 1: No, IT don't know nothing and it takes them too long to do anything, One of my friend on facebook is a web expert who can do it in 5 mins. He'll do it and we can host it at 1to1 hosting they only charge $25 a month.
Marketing bright spark 2: Brilliant. I'll tweet to say how great we are.
Re: The other side of the coin
Firstly I don't work in IT, I work in the business making sure IT and the other business teams do their job and don't put the company/customers at risk.
The exploit was caused by inept web programming, one of the top ten OWASP vulnerabilities, which any have comptent web developer would have spotted, and any sensible business tests for these before putting code live.
I seen this happen so many times, when people think they know better and put the business at risk.
Have you had your "secure" system independetly validated by a knowledgable 3rd party, do you have a valid DR plan incase the system breaks or the desk it's under burns down, is it fully documented in case you get hit by a bus.
I agree that IT depts can be painfully slow, but sometimes there are reasons for that ususally because the business demands perfection on shoestring budget.
Grey IT is the biggest security risk to any business.