back to article ICO 'making enquiries' into bizarre shopper data spill at M&S

The Information Commissioner's Office is making enquiries into Marks & Spencer's website after customers complained that they were being presented with each others' personal details while shopping. Marks & Spencer made its website temporarily unavailable last night after what it claimed was "a technical issue". The company's …

  1. Anonymous Coward
    Anonymous Coward

    This is not just a data breach

    This is an M&S data breach

    1. Commswonk

      Re: This is not just a data breach

      This is an M&S data breach

      Does El Reg have an award for the "post of the week/month/year", and if not, why not?

      An upvote (or even a lot of them) doesn't really do it justice.

      1. wolfetone Silver badge

        Re: This is not just a data breach

        Anonymous Coward because it's actually Dervla Kirwan

  2. Your alien overlord - fear me

    Funny how there is no mechanism on the website to complain. End users had to use FarceBorg to get noticed. Says somethign about M&S's IT support people.

    1. sabroni Silver badge

      re: Says somethign about M&S's IT support people.

      Not really. It says something about poor web design, but it's more likely a specific requirement.

      "We haven't had any complaints since the new site went up. It's the same as the old site but we've removed all the "Report a problem" links...."

      Overpriced trebles all round?

  3. Anonymous Coward
    Anonymous Coward

    Could this be some badly configured web caching?

    1. Wiltshire

      Yes, that would be my guess. I've experienced that with some ISP's that still cache at their gateway, AOL was the worst offender. Session records got cached, despite the page headers saying please don't cache.

      Cache-Control: no-cache, no-store, must-revalidate

      Pragma: no-cache

      So it may affect some users but perhaps not all, depending on the ISP.

      1. Christoph

        Pages with information like that should be encrypted, so should definitely not be cached - and if they were, could not then be decrypted by a different user.

        So either not a cache problem, or Marks & Sparks were very naughty and weren't encrypting the pages.

        1. djack

          The caching will have likely occurred within the M&S application server. It is common to cache common 'rendered' blocks of a built-up dynamic page.

          My guess would have been some race condition within the authentication process.

          1. teknopaul

            agreed

            cache of a response with a set-cookie header seems likely

            1. Phil_Evans

              Re: agreed

              As is a gaggle of little rubber people with oversize specs and hipster beards with more tech libido than is healthy running amok with their flamboyant 'agile' ways, no doubt.... 'like, it's never going to happen, is it, like?' etc...

        2. Bloakey1

          <snip>

          "So either not a cache problem, or Marks & Sparks were very naughty and weren't encrypting the pages."

          I heard that they were having cache <sic> flow problems but this one seems to be worse than my wildest fears.

          I once asked a Scottish systems administrator how big her cache was on a support call. She heard "how big is your gash?" and I got an embarrassed reply of "no bigger than any other girl of my age". Even now I cringe at the thought.

      2. Infernoz Bronze badge
        FAIL

        Cache control directives in HTTP responses and HTML content are the wrong answer, and not reliable.

        All web pages with any sensitive content, including any personal and financial details, must only ever be over HTTPS, for security, including preventing caching; it is fracking negligent not to do this!

        I'd suggest that all session derived content should go over HTTPS anyway to block caching and traffic spying.

  4. Electron Shepherd

    Probably just a dodgy update

    If it wasn't for all the media coverage around TalkTalk at the moment, this would have barely merited a mention, and would have been filed under "e-commerce site has bug".

    1. Dan 55 Silver badge

      Re: Probably just a dodgy update

      Good. The more people who are aware that online security matters the better.

    2. sabroni Silver badge
      Facepalm

      Re: all the media coverage around TalkTalk

      Yeah, The Register is only interested in this sort of stuff since the TalkTalk debacle....

    3. Grubby

      Re: Probably just a dodgy update

      But isn't that the very definition of 'news'? This is a news site, technically everything that has ever or will ever happen is 'news' so a decision has to be made about what is relevant and currently people are interested in this sort of story as, as you correctly point out, it has recently impacted many people in the UK.

  5. wheelbearing
    Facepalm

    Plenty more where that came from..

    My Dad says he saw another customer's bank account details as well as his own when he logged in last week. He called LLoyds, and they told him not to worry and just to clear his browser cache, and not use old location bar URL history to navigate to the login page any more.

    Absolutely nothing to worry about there!

    1. Pascal Monett Silver badge
      WTF?

      Really ?

      So "old location bar URL history" is enough to access other people's details on a banking site ?!?

      Chalk up another one for the inevitable robot revolt. A purge is starting to seem necessary.

  6. This post has been deleted by its author

    1. John G Imrie

      There is nothing in that quote to make any assumption on what the technical team thought. The fact that they took down their website suggests that someone with a lot of authority was

      a) Worried about it.

      b) listening to the technical department telling them that we need to take the we site off line

      c) prepared to write of the thousands of pounds per minute that not having the web site available would cost the company.

  7. mark 120

    I've seen this before at a place I worked. Turned out the random number generator used to create the 'unique' session ID's wasn't random, and if a second user got the same ID before the caches had been cleared they could see the other persons details.

    1. allthecoolshortnamesweretaken

      "If it comes out of a machine, it ain't random." [citation needed]

  8. paulf
    Pirate

    I bet M&S are petrified

    The ICO is "making enquiries"...

  9. splodge

    This is not just a QA Department...

  10. Ugotta B. Kiddingme

    so now people know

    about my friend's purchase of a largish bath towel. Fat lot of good that knowledge will do them when the Vogons arrive...

    1. tony2heads
      Alien

      Re: so now people know

      I hope he's a frood who really knows where his towel is

      1. Stoneshop
        Thumb Up

        Re: so now people know

        I hope he's a frood who really knows where his towel is

        Could be anywhere as long as Brutish Snail hasn't "delivered" it.

        (thumb, as you need that too)

  11. This post has been deleted by its author

  12. alex comerford

    Chrome doesn't really like their site anyway:

    Your connection to www.marksandspencer.com is encrypted using an obsolete cipher suite. Further, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.

    The connection uses TLS 1.2.

    The connection is encrypted using AES_128_CBC, with HMAC-SHA1 for message authentication and RSA as the key exchange mechanism.

    I have also lost the 577,000 sparks points I had yesterday before the shutdown. In fact i've lost my sparks card all together as it's now linked to somebody else's account!

  13. Anonymous Coward
    Anonymous Coward

    Oi, Matt Horwood! Get is sorted, you plonker.

  14. Anonymous Coward
    Anonymous Coward

    We experienced this. My wife logged on to register her new Sparks card and the order history on her account showed random items, in random order, going back several years, none of which she'd bought. At first she thought her account had been hacked - she apparently had a £1,500 sideboard out for delivery - and only realised it was a wider problem when she got through to them on the phone (after about 20 minutes).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like