This is embarassing
Hope Virgin gets slapped by the ICO
Virgin Media has shuttered a kindergarten-grade bug in a third party website that exposed up to 50,000 résumés it's received over the years, complete with names, street and email addresses of applicants. The vulnerability was due to entirely absent access controls on a public server to which applicants were directed to upload …
"until we start seeing directors held accountable"
Although it's not for issues like this, it appears El Gov are taking a step in the right direction - they're going to be doing that when it comes to dodgy cold callers: Government clamps down on nuisance call crooks
All we need now is a bit of mission creep.
"I dont see what Virgin has got to do with this."
I'm not 100% sure of the relationship between Virgin and Campus Futures, but if it's deemed Virgin are outsourcing the processing of data to Campus Futures, then it's still Virgin's problem. Quoth the ICO:
"As data controller you will remain liable for compliance with the DPA in relation to both the processing and any sub-processing (whether that processing is carried out in the UK or overseas). It is therefore important that you are satisfied that the proposed subcontracting will not materially increase the security risks to the data being processed nor adversely affect the rights of the data subjects."
How did he get that title? Engineer ffs? If he is an engineer and not a wet behind the ears script kiddie he should be ashamed.
Talking of exposed information, did you know that if you use the confused.com website to search for an insurance deal that they then send you an email with a link to your account - with all the details you've entered "and no need to log in"!
Wonderful innit?
I complained and this is the response I got :
"Hello Mr ****,
Thank you for your email. My name is **** ****** and I'm a complaints officer here at Confused.com.
I'm very sorry you're worried about security after using our website. Rest assured this is not the experience we want for our customers.
After you generated insurance quotes for your ********** flat, our system would have sent an automated email on the day you received your quotes to confirm your cheapest prices. When you click the link in this email you are directed straight into your Confused.com account, and this happens because only the email account holder (yourself) will have access to this link. Additionally, the link can only be clicked a certain number of times and can only be clicked for a period of time (30 days) before it becomes unusable.
In this case, Mr ****, your Confused.com account could only be compromised if your email account were to be accessed by another person, so we would advise you to keep a strong password and security question on your email account to prevent this from this happening.
I hope this email clarifies why you were able to access your account without a username and password, Mr ****, and I hope this reassures you that nobody else will be able to do so unless they have access to your email account where they can find the link. As the email can only be viewed by yourself, I've closed your complaint as not upheld.
I hope that we have been able to resolve your complaint with this explanation, but if you have any further queries, please don't hesitate to contact us again."
Be warned, this is the level of competence these companies have facing the world.
"Dear ****,
You're new to this, aren't you?
Here is an easy page to read about why email is insecure and why your company's policy of sending a link which gives direct access to my account with my personal information and that of my family is lunacy.
http://www.digitaltrends.com/computing/can-email-ever-be-secure/
I am referring your reply to the relevant government department.
I forwarded the reply to the ICO. I have had reason to complain to them before over a copy of a power of attorney that was sent by a pension company by email.
The pension company were forced to apologise to me but the ICO took no further action as it was felt to be an "isolated incident".
I can't wait to see how this works out.
Why not try it for yourselves, guys? Just don't put in your correct details. :)
The fact that it's not secure doesn't excuse these buggers making it even less so. The whole point is to get these people to tighten up their procedures to make it secure. Forgotten password prompt should require 2 factor authentication. You'll thank us for making your convenience obsolete.
"... and "walked" a security engineer through resolving the mind-bending bug".
So not only was the "security engineer" unaware of the permission settings, he/she could not even correct the problem without help?
Sigh
Addendum: It's not a bug, file and directory permissions are a feature. This is just sloppy website administration.
According to the ICO's Legal Team, any organisation can process that information without being prosecuted because according to them, personal information found in the public domain does not require the consent of the data controller.
So if Virgin are Company A and they've accidentally disclosed this personal information to the public domain, then Company A could possibly face prosecution by the ICO. Particularly when you bear in mind that being a member of a union is sensitive personal information and a typical CV might contain this information.
Yet according to the ICO, if Company B comes along and decides to process the information that has been disclosed, Company B cannot be prosecuted. Even if they know full well that the disclosure was accidental. If Company B processes this information then the most that can happen to them is that the ICO will tell them that they've unfairly processed personal information and not to do it again.
I'm currently challenging the ICO's view that information found in the public domain does not require the consent of the data controller.