I flagged a major Data Protection breach but still feel uneasy
Options
Comments
-
To be fair to the OP I would have tested it as well, not 10 but I would have certainly tried one.
How was the OP to know that it wasn't secure if they didn't test it?
For all they knew there was a clever way of the site determining if their computer was the right computer to access the information. Or some other way of verification they were unaware of.
They could have complained without knowing for sure but wouldn't have felt so confident in escalating the issue (and getting it resolved) if they weren't sure of their facts.
I don't think you should have written the details down or even looked enough to see the details. Just telling the company that their security wasn't acceptable would have been enough no need to prove it, that would be their job to investigate.0 -
-
-
Email them asking for a freebie or some other form of remuneration so we can end this saga0
-
-
Sorry to see you are the only one in here who didn't get this, but I ll explain to you. I accessed other accounts only enough times so as to prove a point, I wrote down names and cities and listed them in my letter so that they company would see it as evidence of the vulnerability.
Oh I get it, so don't be so patronising.
White hat or black hat - You was still a hacker.0 -
Fortunately this is the least serious type of hacking with a maximum of only 2 years imprisonment and/or a fine under the computer misuse act.
Hacking
Hacking is the popular term for what is properly called 'cracking'. We use the term hacking as a synonym for cracking, though strictly speaking a cracker is one who breaks into someone else's computer system, while a hacker is just a computer programmer.
Under the Computer Misuse Act 1990, the following are offences:
Unauthorised access to computer material (section 1);
Unauthorised access with intent to commit or facilitate commission of further offences (section 2); and
Unauthorised modification of computer material (section 3).
The maximum penalty for the section 1 offence (unauthorised access to computer material) is two years' imprisonment and a fine. For a section 2 offence, the maximum penalty is 5 years' imprisonment and a fine. For a section 3 offence, the maximum penalty is 10 years' imprisonment and a fine.
These offences are potentially wide in scope: even guessing the password to access someone else's webmail account could be prosecuted as an offence of unauthorised access to computer material.0 -
Personally i think that the OP should be provided some kind of gratuity here.
She has pointed out a security flaw (a pretty terrible one) in a companys data systems.
She is not an employee of this company and has done them a service.
Most big tech companies run a "bug bounty" scheme for just this type of thing, where they pay "users" to report flaws in their systems to them.
They have benefited from this, so why shouldnt they give a small token of appreciation ?
It's quite clear that the OP didnt go about this with the intention of monitory gain0 -
-
My friend even said the company should have given me a free subscription for highlighting something that their own techies / managers should have picked up as I have potentially saved them a big fine and some very bad publicity.
But it seems she now expects to get some gratuity.0
This discussion has been closed.
Categories
- All Categories
- 343.6K Banking & Borrowing
- 250.2K Reduce Debt & Boost Income
- 449.9K Spending & Discounts
- 235.8K Work, Benefits & Business
- 608.8K Mortgages, Homes & Bills
- 173.3K Life & Family
- 248.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards