🗳️ ELECTION 2024: THE MSE LEADERS' DEBATE Got a burning question you want us to ask the party leaders ahead of the general election? Post them on our dedicated Forum board where you can see and upvote other users' questions, or submit your suggestions via this form. Please note that the Forum's rules on avoiding general political discussion still apply across all boards.
I flagged a major Data Protection breach but still feel uneasy
Options
LauraFox
Posts: 48 Forumite
Hi,
So late Thursday night I decided to check when the subscription for a very popular kids magazine was up for renewal. The company has sent me a letter recently saying I can now access my account online. So I checked and then it occurred to me they have made the log in way too easy. The page did not ask me to register; each subscriber could merely enter his/her subscriber ID and access the details. I found the information I wanted and logged off, then it occurred to me that the subscriber ID is only 7 digits long.
I do not exactly have plenty of free time to kill, but I kept changing only 3 digits of my own subscriber ID number and within 20 minutes I had accessed 10 different accounts of people all over the UK, including a school. I could see full names, addresses, emails, what subscription they have and when it's due for renewal. :eek::eek::eek:
I stayed awake till 4am writing a complaint to them about this breach of the Data Protection Act, saying:
"I am not a hacker, I am a mum who strives to protect her children, day after day. This discovery makes me immensely angry because you have made it so easy for anyone to locate addresses where children live. Whoever thought it was a good idea to make data accessible just by by entering a 7-digit number
does not realise how much vulnerable children are and how we, as parents, have to already deal with countless situations that are beyond our control.
You should rectify this problem as soon as you finish reading this letter."
I sent it to them at 3:40am by high priority email to two of their managers they have listed in their website and went to bed. Friday morning I had no response and the website log in was still the same. I felt very uneasy, I feared someone would discover the flaw and extract information. So I forwarded my letter to the ICO ( Information Commissioner’s Office) as well.
A friend who works in data protection advised me to call them and it took me ages to locate a phone number. I spoke to the marketing manager who listened to me very carefully. Two hours later she sent me this email:
"First of all, I want to say thank you so much for flagging this and I also want to apologise for the understandable distress that it’s caused; we take these things very seriously here and as soon as I got off of the phone with you I made sure that our web development team were aware of the situation and we had them working on it straight away.
We’ve now removed this functionality from our website. Customers will now be required to sign in using their email and password only; or register via the website if they don’t have a pre existing account.
Again, I want to take this opportunity to apologise to you again and agree that this method of getting customers to sign in is just not up to scratch and not how we want to represent ourselves as a company."
I forwarded their response to the ICO but haven't directly acknowledged their email yet. Am I right thinking they got off this very lightly? My friend even said the company should have given me a free subscription for highlighting something that their own techies / managers should have picked up as I have potentially saved them a big fine and some very bad publicity.
Thoughts, please?
Thanks in advance.
So late Thursday night I decided to check when the subscription for a very popular kids magazine was up for renewal. The company has sent me a letter recently saying I can now access my account online. So I checked and then it occurred to me they have made the log in way too easy. The page did not ask me to register; each subscriber could merely enter his/her subscriber ID and access the details. I found the information I wanted and logged off, then it occurred to me that the subscriber ID is only 7 digits long.
I do not exactly have plenty of free time to kill, but I kept changing only 3 digits of my own subscriber ID number and within 20 minutes I had accessed 10 different accounts of people all over the UK, including a school. I could see full names, addresses, emails, what subscription they have and when it's due for renewal. :eek::eek::eek:
I stayed awake till 4am writing a complaint to them about this breach of the Data Protection Act, saying:
"I am not a hacker, I am a mum who strives to protect her children, day after day. This discovery makes me immensely angry because you have made it so easy for anyone to locate addresses where children live. Whoever thought it was a good idea to make data accessible just by by entering a 7-digit number
does not realise how much vulnerable children are and how we, as parents, have to already deal with countless situations that are beyond our control.
You should rectify this problem as soon as you finish reading this letter."
I sent it to them at 3:40am by high priority email to two of their managers they have listed in their website and went to bed. Friday morning I had no response and the website log in was still the same. I felt very uneasy, I feared someone would discover the flaw and extract information. So I forwarded my letter to the ICO ( Information Commissioner’s Office) as well.
A friend who works in data protection advised me to call them and it took me ages to locate a phone number. I spoke to the marketing manager who listened to me very carefully. Two hours later she sent me this email:
"First of all, I want to say thank you so much for flagging this and I also want to apologise for the understandable distress that it’s caused; we take these things very seriously here and as soon as I got off of the phone with you I made sure that our web development team were aware of the situation and we had them working on it straight away.
We’ve now removed this functionality from our website. Customers will now be required to sign in using their email and password only; or register via the website if they don’t have a pre existing account.
Again, I want to take this opportunity to apologise to you again and agree that this method of getting customers to sign in is just not up to scratch and not how we want to represent ourselves as a company."
I forwarded their response to the ICO but haven't directly acknowledged their email yet. Am I right thinking they got off this very lightly? My friend even said the company should have given me a free subscription for highlighting something that their own techies / managers should have picked up as I have potentially saved them a big fine and some very bad publicity.
Thoughts, please?
Thanks in advance.
0
Comments
-
My concern is only for the children but where's my freebie?
You've raised the issue. It looks like it's being resolved. You've already reported the company to the ICD for them to take any further action they deem necessary. What do you actually want to happen next? If you're planning to follow this up further you need to be quite clear about the outcome you're looking for.All shall be well, and all shall be well, and all manner of things shall be well.
Pedant alert - it's could have, not could of.0 -
My concern is only for the children but where's my freebie?
You've raised the issue. It looks like it's being resolved. You've already reported the company to the ICD for them to take any further action they deem necessary. What do you actually want to happen next? If you're planning to follow this up further you need to be quite clear about the outcome you're looking for.
:-) I did mention the freebie but I ve already forgotten about it.
This is the first time I report such an issue; I want to check with others who have some experience whether I should be satisfied with the current response and move on.0 -
:-) I did mention the freebie but I ve already forgotten about it.
This is the first time I report such an issue; I want to check with others who have some experience whether I should be satisfied with the current response and move on.
If the safety of your child/ren and other’s was your only or main priority then yes you should be satisfied with their response and even reply to let them know you are grateful they acted so quickly to resolve the matter.0 -
You did a good job in highlighting their shortcomings and they responded quickly , so top marks to them.
Just a shame you then mentioned a freebie0 -
I sent it to them at 3:40am by high priority email to two of their managers they have listed in their website and went to bed. Friday morning I had no response and the website log in was still the same. I felt very uneasy, I feared someone would discover the flaw and extract information. So I forwarded my letter to the ICO ( Information Commissioner’s Office) as well.
Did you expect them to read an email at 3.45am.?
You did not give them any time to get up, get dressed and eat breakfast. Get into work and do a million things before they got round to reading the many emails that were probably waiting for them.0 -
"I am not a hacker, I am a mum who strives to protect her children, day after day. This discovery makes me immensely angry because you have made it so easy for anyone to locate addresses where children live. Whoever thought it was a good idea to make data accessible just by by entering a 7-digit number
does not realise how much vulnerable children are and how we, as parents, have to already deal with countless situations that are beyond our control.
If someone wants to know if there are children at an address, they can simply stand outside said property, or follow a child home from school. I doubt very much that a pa*do would spend time working through various commutations to find a random address that could be hundreds of miles away.0 -
If someone wants to know if there are children at an address, they can simply stand outside said property, or follow a child home from school. I doubt very much that a pa*do would spend time working through various commutations to find a random address that could be hundreds of miles away.
Most times you are right, but there might be circumstances which crop up from time to time...
One example could be that an ex, for one reason or another, has the subscription ID but no access to the data linked to said subscription and no contract with the company (so no legal right to that information). So yea, they may catch wind of the new feature and instantly find out where OP lives. Maybe that causes a load of hassle for OP.0 -
Thoughts, please?
Thanks in advance.
You pointed out a flaw, they acted immediately. Not sure what else you expect.
And really, in all honesty, what would you imagine anyone could do with the info you were able to access, especially the school whose name, address and email would be in the public domain anyway. The only supplemental info was what magazines they subscribe to.Accept your past without regret, handle your present with confidence and face your future without fear0 -
stuartJo1989 wrote: »Most times you are right, but there might be circumstances which crop up from time to time...
One example could be that an ex, for one reason or another, has the subscription ID but no access to the data linked to said subscription and no contract with the company (so no legal right to that information). So yea, they may catch wind of the new feature and instantly find out where OP lives. Maybe that causes a load of hassle for OP.
seriously lol0 -
This discussion has been closed.
Categories
- All Categories
- 10 Election 2024: The MSE Leaders' Debate
- 343.9K Banking & Borrowing
- 250.3K Reduce Debt & Boost Income
- 450K Spending & Discounts
- 236K Work, Benefits & Business
- 609.3K Mortgages, Homes & Bills
- 173.4K Life & Family
- 248.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards