back to article Centre for Computing History apologises to customers for 'embarrassing' breach

The Centre for Computing History (CCH) in Cambridge, England, has apologised for an "embarrassing" breach in its online customer datafile, though thankfully no payment card information was exposed. The museum for computers and video games said it was notified that a unique email address used to book tickets via its website " …

  1. Mike 137 Silver badge

    "We take security and your data extremely seriously,..."

    As usual, after the fact. Although we await details on this one, a common error is insufficient segregation between the presentation layer and the database layer. I've even seen SQL queries in GET parameters.

    1. TheFifth

      Re: "We take security and your data extremely seriously,..."

      I've seen worse. I had an enquiry from a prospective client who wanted me to fix a few issues on his website. After looking through it I found that the site had the FTP details for the main server, passed in hidden fields, on a public facing form! It was a Joomla site (honestly I could stop this sentence right here, but I'll elaborate) and for some reason the dev used a weird JS based FTP upload script rather than the more usual multi-part form upload. Even with that, you'd think they'd not pass the FTP details in a form field! I could find no rationale for the entire mess.

      The same site also passed the root database credentials(!) in hidden form fields. This was on an admin restricted page, but still, what the hell?!?

      I told the client I would rebuild his site from scratch, but I wasn't patching up that steaming pile of code.

  2. Terry 6 Silver badge

    After the fact

    In any other area there's the assumption that there will be proactive work. Someone will have the responsibility for reviewing and assessing the risk of any breach of safety- reviewing it and sorting out protections. So it should be comparatively rare and negligent for there to be, say, a blocked fire exit or a trip hazard causing serious injury. It happens, but then it's a big deal.

    But data security...I dunno. It sometimes seems like it's just set up, switched on then left running by all these companies.

    1. Snake Silver badge

      Re: Set up and switched on

      The problem is that everyone assumed that the people in charge of "set up and switched on" know precisely what they are doing, and do so perfectly, every time.

      And, of course, when we "assume" we can not be guaranteed of someone making an ASS of themselves.

      My boss commissioned a web site without a single word to me (the "tech" of the company). Handed off to me after construction for me to look after, a year later it was hacked. Why? Because the builder placed the web site on the server without changing any defaults, they left the admin pages in the default locations and failed to change any site permissions, as well.

      After I got a grip on the site design, discovered the flaws as well as the expected correct procedures to follow when installing the SMS, I corrected the flaws, reconfigured the system as well as corrected coding errors...and cursed out the incompetent writers. As well as let my boss know how unhappy I was with both the quality of the work plus him not letting me in the decisions in the first place, meaning that I was picking up the mess.

      The Centre, I am quite sure, hired web designers to do that job. But with little oversight, and likely no one to double check the design work, it went live under the expectation that the designers would have taken care of all issues. That's why you hire a contractor in the first place.

      But, like home contractors, you need to keep your own eyes out on things.

      1. Yet Another Anonymous coward Silver badge

        Re: Set up and switched on

        On the other hand it's a charity museum running a few mailing lists so it's probably reasonable for it to only spend 99% of its budget on computer security staff

  3. JassMan

    Sounds like the Queen of Chaos

    should visit and learn how data breaches should be handled.

  4. Anonymous Coward
    Coat

    To be fair

    Computing history has to include phishing and data breaches.

    (Still, a plus to CCH for transparency.)

    1. Red Ted
      Joke

      Re: To be fair

      Perhaps they should sell the t-shirt design:

      “I sent all my money to Lagos and all I got was this t-shirt”?

  5. Omidia

    I think their apology has been much more stand up than most we see, to their credit.

    (Yes, that's what's is come to -- is it a good enough apology or not...)

  6. Cuddles

    a unique email address

    I get a lot of weird looks when I give out clearly unique addresses, plus a lot of confusion from people who struggle to grasp that I really can receive emails sent to yourcompany.mail@mydomain.co.uk. This is precisely why I do it. Not only can I identify exactly who is responsible for leaking anything, it's also then trivial to block the leaked address.

    1. Bendacious

      Re: a unique email address

      I do the same thing. Cue odd silences on the phone when I give WaterCompany@mydomain.com, which then receives emails from a boiler maintenance company. ebay@mydomain.com is the busiest, they give that away like GDPR was a promise on the side of a bus.

  7. Dan 55 Silver badge

    Use the Dutch campsite solution

    If CCH had used an Atari ST database like this Dutch campsite manager still does 35 years later then customer data would have been completely secure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like