Tosh UK rewards competition hopefuls by exposing their privates
ICO slaps wrist after URL twiddling leaked personal info
Toshiba Information Systems UK breached the Data Protection Act, the Information Commissioner's Office (ICO) has ruled.
The company published the personal details of 20 competition entrants on its website, which were compromised by a security gaffe, the watchdog growled.
"A security fault with the incremental numbering of the competition entrants registration URL created the potential for access to other customers' personal data for a two-month period," the regulator said.
The ICO was told about the privacy blunder in September. Names, addresses and dates of birth as well as contact information were exposed on the site after people registered for an online competition. The watchdog found that Toshiba had failed to put in place the correct measures to detect that a web design cock-up had been made by an unnamed third-party coder.
"It is vital that, as ever-increasing amounts of our personal information are collected online, companies have the necessary safeguards in place to keep this information secure," said ICO head of enforcement Stephen Eckersley.
"We are pleased that Toshiba Information Systems (UK) have committed to ensuring that any changes to applications on their website are thoroughly tested by both the developer and themselves, in order to keep the personal information they are collecting secure."
He warned: "We would urge other UK organisations with interactive websites to make sure they have suitable checks in place before collecting peoples’ details online."
Toshiba inked an undertaking [PDF] with the ICO to implement security measures to ensure that the personal data it handles are protected. ®