German Survey Company Loses 41,000 Survey Records

mister_woods writes "It's not just governments that lose private data. Germany's Chaos Computer Club (CCC) reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants. By simply changing the customer ID number in the browser's address bar access could be gained to comprehensive survey results, including names, addresses, dates of birth, email addresses, phone numbers and much more sensitive data. A CCC spokesman described this as 'unprofessional, grossly negligent and above all deeply worrying' and sees this loss as a vindication for its calls for strict regulations for public and private sector data collectors."

How pathetic

[Darkness404 (1287218)]

How pathetic that these are the very sites that they make you have some ultra-secure password for because there is so much personal information on it and may even boast that the servers are stored in some nuclear bunker and mirrored in every country but yet they can't even enforce decent security on the site itself.

Re:

[by Anonymous Coward]

I can get my f'ing medical records over the phone with 1/8th the information i need to even pay my f'ing cell phone bill.

Re:How pathetic

[omeomi (675045)]

Well, I certainly won't be completing any more German surveys...

Re:

[Opportunist (166417)]

Wrong. You can still complete any surveys you want.

Just fill in wrong info. There's only one thing worse than having no information for a data collector: Being unable to discriminate between good and bogus data. It poisons your whole data pool.

Another day, another data leak.

[inotocracy (762166)]

When are these companies going to start getting fined for data leaks? I'd bet this sort of thing would be a lot less common if there was a huge price to pay, other than a useless apology note [attrition.org].

Re:Another day, another data leak.

[Hal_Porter (817932)]

What are you worried about? It's just bits. Information wants to be free. It's not like you own it or anything. Complaining about it being posted on the net will just lead to the Streisand Effect.

Everyone knows that security through obscurity is a bad model. In the Web 2.0 world the only sustainable business model is to make your Social Security number public and sell support on people who want to use it. E.g. if some dude in Nigeria is trying to apply for a credit card in your name he might get asked about your postal address and secret codeword. You could make a few bucks if you gave him the information, more if you applied for the credit card for him yourself.

And don't try to encrypt stuff. Studies show that 95% of Nigerian phishers want DRM free personal information.

Re:Another day, another data leak.

[jlarocco (851450)]

When are these companies going to start getting fined for data leaks? I'd bet this sort of thing would be a lot less common if there was a huge price to pay, other than a useless apology note.

Having the government impose a fine is not the answer. The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up. If consumers can't be bothered with 5 minutes of research to avoid companies with poor privacy practices, there's absolutely no incentive for companies to spend the money to respect privacy. A fine just increases the cost of doing business - meaning you'll pay even more to have them lose your data.

I think a fine would help...

[Joce640k (829181)]

Then again, a fine won't help much because the people responsible wouldn't pay it, they'd just move to another company after this one went bust.

What's needed is a short stay in prison for the CEO responsible for overseeing the project.

A couple of convictions would see every company in the country take their data offline until some real security consultants were consulted.

Re:

[ubrgeek (679399)]

The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up.

Let me know how that works out for you. Companies that provide/are supposed to protect medical history? Companies that provide/are supposed to protect medical history? Not likely to happen. The only way - and you can be sure that, regardless of the country in which this stuff happens this won't become required - to make a dent in this stuff is to mandate prison tim

Re:

[jlarocco (851450)]

There is no reason for companies to take this too seriously since they can just say "my bad" and its business as usual again.

You just don't get it, do you? It's your responsibility, as the "owner" of that information, to make sure it stays private. If a person willingly hands over their private data to a company with a history of data loss, how important can the data really be? You wouldn't give your car keys to a known car thief, so why will you give your private data (and money) to a company with a h

Re:

[FireFury03 (653718)]

You wouldn't give your car keys to a known car thief

But you would give your car keys to the garage who's servicing the car. If they fail to secure the keys properly and someone steals your car then why shouldn't the garage be held responsible?

Re:

[jlarocco (851450)]

As a consequence of modern day life we are *forced* to do business with at least some of these companies and so they have no incentive to do better.

Oh shut the fuck up. Nobody is forcing you to buy stuff. Like this survey company goes around, holding people at gunpoint, telling them to give out their private info and take a survey? Give me a fucking break.

Can you provide even a single example where you simply *had* to buy some product or service from a company with poor data security.

Re:

[Nursie (632944)]

Yup, the government. You're forced to give them data and they keep losing it. Other than that I'd like to ask how it is that you can know in advance which company is going to lose your data?

It's only your responsibility to keep your details secure if you have prior knowledge of what's going to happen to them. This is one reason why there should be legal protections.

Another is that companies will often change their behaviour for the worse, especially in times of financial difficulty. There need to be legal p

Re:Another day, another data leak.

[Rakishi (759894)]

Well the amount of data leaks would suddenly drop since companies would suddenly overlook it when data goes missing. After all they thought it was an empty hard drive and they'd be just as confused as everyone else when it turned out differently. In other words they'd simply not report them because reporting them would automatically give them a fine. So consumers get screwed in the end because they don't even get alerted when their data is stolen.

there already is to some extent

[Trepidity (597)]

Apart from certain areas (possibly medical records) there aren't statutory fines, but companies can be held liable if through their negligence something bad actually happens. To reduce the chance of that happening, many spend money on pro-active measures immediately after a leak, which is in some ways a "fine", in that it costs them money, and so they rationally would like to avoid it happening. For example, after a former university of mine misplaced a bunch of records, they paid for two years of identity-

Not "Lost"

[mrroot (543673)]

it was possible for participants to read master data records and consumer profiles without bypassing even basic security measures. Access to the comprehensive survey results could be gained by simply changing the customer ID number in the browser's address bar.

The data was not lost, they failed to secure it. There is a difference between the two, although it doesn't make it any less of a problem. But headlines like this are misleading.

Furthermore the 41,000 number is misleading because there is no evidence supporting how many records were viewed using this method.

Re:Not "Lost"

[icepick72 (834363)]

Furthermore the 41,000 number is misleading because there is no evidence supporting how many records were viewed using this method.

Because companies who write code that badly also don't keep web logs.

Re:

[Opportunist (166417)]

Ok. So 41,000 could have been viewed, but only yours was.

Feeling any better now?

Horrible article title. Loses --- Exposes

[Noodles (39504)]

German Survey Company _Exposes_ 41,000 Survey Records would convey the real meaning of the article.

Re:

[martin-boundary (547041)]

Or simply:

TNS Infratest/Emnid has lost control of 41,000 private data records.

Re:

[Tablizer (95088)]

Or simply: TNS Infratest/Emnid has lost control of 41,000 private data records.

Nah, "exposes" creates more vivid mental images.
     

Re:

[Opportunist (166417)]

OMG, data porn!

41,000 records doing it just for you, they have no shame and show you anything. Sign up now!

Given the behaviour of our governments, I'm sure some proffessional paranoiacs would get an instant boner.

Re:

[shri (17709)]

TNS is a worldwide company. I'd seriously hope that they don't use the same software everywhere in the world.

You know

[I_am_the_cheese (1264298)]

that the expensive webmaster you just hired is actually a drunken lemur in disguise when...

Re:

[Opportunist (166417)]

Expensive webmaster?

I'd rather guess they signed up one of those very unemployed and very desperate people that took some distance learning course during the dot.com bubble in hopes of getting the big bucks, something they couldn't at the janitor or bricklayer position they had before.

You'd be amazed how many people consider themselves a "systems administrator" today because they can click together a halfway decent network connection with the XP net wizard, but have not a hint of an idea what security is ab

CSI my city

[ILuvRamen (1026668)]

Okay let's pull some CSI crap and go back in time. I can hear it now! "Naw, just code it in a GET, that's easier. Nobody will ever just type something" (except in German obviously :P)

That's nothing

[by Anonymous Coward]

I used to work at a web design agency a few years back. They had a single shopping cart system that they "re-used" (read: copy & pasted then altered to suit the site in question) for dozens of e-commerce sites. After processing an order, it would display the customer's entire details, including credit card information and billing address. Yes, it was vulnerable to this exact flaw. Increment/decrement the order number, and you get to see somebody else's details.

That's not the worst bit. The worst bit is when they "fixed" it. They did so by changing it to a POST request instead of a GET request, meaning the ID number didn't show up in the address bar. It was still just as vulnerable, it's just not as "discoverable" to the clients as it was before.

Posted AC because the company is sue-happy about former employees.

this is how common it is..

[swordfishBob (536640)]

It is established that an amazing (unknown)% of survey data is lost or released to unauthorized recipients. We'd tell you the percentage, but we lost the laptop with all records at the airport.

Re:

[Opportunist (166417)]

You could easily have posted it under your name. This is by far not the only company that has this problem, you could easily claim you were talking about a completely different company and ... hey, why do YOU sue, don't tell me YOU had that problem too! :)

Solution: don't hand out your data

[nathan.fulton (1160807)]

I'm not going to get into a debate over consumer and business responsibilities, but it seems to me that at a certain point, you just have to be constantly vigilant and aware if you want your data to be secure. This is a perfect example -- you don't have to take surveys. What's the benefit?

Re:Solution: don't hand out your data

[fuzzyfuzzyfungus (1223518)]

Easy enough in this particular case, surveys are largely optional. Absolutely useless in the general case, though. I don't get to opt out of government data collection and storage, opting out of data collection and storage by utilities and financial institutions is possible but for most people only in a theoretical sense.

This is a rather weak special case, I agree; but it points to no general form ability to control disclosure of your data to a variety of entities. Thus, the only effective measures to prevent data leaks have to involve the storage end(and, ideally, lots and lots of punishment). Perhaps an online "pictures, names, home addresses, phone numbers, emails, social security numbers, and CVs of people responsible for private data breaches" gallery would be in order?

OMG IE is a haxx0r.

[fuzzyfuzzyfungus (1223518)]

Wasn't germany the country considering, or moving toward, some sort of draconian ban on hacking tools? If so, let's tell them that the URL modification trick only works in IE. Seriously, though, these constant data breaches are getting pathetic. Are we going to have to start shooting suits to get them to shape up?

Re:

[Opportunist (166417)]

Not just considering. They actually did it. Something their paranoid wheelchair didn't consider is that the internet doesn't care about borders, though, so it doesn't apply to me, and I can still provide security services for Germany.

But I think the URL line in browsers is soon to be outlawed.

Not the worst I've seen...

[by Anonymous Coward]

We recently left our CC processor (a major company, processing more than 10 billion a year). Their online CC terminal had this exact flaw. You can store customer info (CC, address, name, etc) and get a "customer ID" for that customer. Well... no checks in their system to assure that the "customer" was yours, so you could increment, decrement away and grab CC numbers to your hearts content (more than 25 million CCs in the system). You could even pass a random "customer id" to the billing portion of the system and bill a random person's CC, no checks in that part either.

When we alerted them to this flaw, they cut off our service and disabled all of our accounts and threatened to sue us for "hacking" their system. To this day I don't believe it is fixed.

Heartland payment systems is the company...

Re:

[by Anonymous Coward]

I posted anon because HPS is very very very sue happy, and I don't have the personal cash to front a law suit. What proof do you want? I will send you anything I can anonymously, but I won't risk a law suit from a company with more than a billion bucks in the bank.

We found this bug because our code that interfaced with their system had a small bug (transposed 0 and 1 in an array dereference) and we accidentally billed customers that were not ours through their system, called them about it, they were extrem

Re:

[pclminion (145572)]

If they are so sue happy what is preventing them in suing /. for giving defamatory information or helping in hacking their system and asking for the logs of the users.

Let them. That's not the AC's problem, is it?

Re:

[badfish99 (826052)]

If he leaves out the company name, it's just an amusing story but achieves nothing.
If he puts in the company name, it might just get seen by their customers, who might then take their business elsewhere, thereby solving the problem.

Re:

[ArsenneLupin (766289)]

If they are so sue happy what is preventing them in suing /. for giving defamatory information or helping in hacking their system and asking for the logs of the users.

Public exposure. If they'd sue Slashdot, you'd be sure many more people would become aware of their lax security than if some barely read anon comment merely mentions their name.

Remember: reporting about a problem without having very solid proof is shaky legal ground. However, reporting about an ongoing lawsuit, including the subject of said suit, is not dicey, because court documents themselves prove that the suit exist. So basically, by suing Slashdot, they'd give not only Slashdot themselves, but also a

"Bah" on Stupid Comments within Story Summaries.

[lancejjj (924211)]

"It's not just governments that lose private data.

Golly, I just assumed that governments agencies, such as "TJX", "HSBC", and "Radio Shack" lose data.

Really, does the writer really think that Slashdot readers don't read Slashdot? TJX and HSBC certainly aren't part of any government, yet there have been numerous reports about the loss of a ridiculous number of records.

As for Radio Shack - I'm pretty sure that the government is propping them up. Then again, the government seems to be propping up banks too. OK, I stand corrected. Never mind.

Re:"Bah" on Stupid Comments within Story Summaries

[Frosty Piss (770223)]

As for Radio Shack - I'm pretty sure that the government is propping them up...

CIA front. Didn't you know that's where all the terrorists buy their bomb parts? Why do you think they insist on such detailed contact info for a $1.50 purchase?

Re:"Bah" on Stupid Comments within Story Summaries

[east coast (590680)]

Blind government bashing is so rampant around here that it doesn't even need to be true to get props from a lot of readers.

Re:

[Opportunist (166417)]

Well, that works the other way 'round too. Blind government bashing is likely to strike a target simply by there being so many that you're bound to hit one.

How many more cases?

[JayTech (935793)]

Last year Global Test Market (www.globaltestmarket.com) had a similar exploit, which I found; I was able to access anyone's account information, including their password via their ID. I reported it to their IT department, it took them almost a month to fix. Everyone single one of their client's data on that site was exposed, and do you think the company notified the clients? Nope. It was as if they could care less. They never even gave me a pat on the back or anything. It's a wonder stuff like this doesn't happen more often, so many companies placing profits ahead of security.

Re:

[cerberusss (660701)]

Here's a nice test case: google for "customer login" and use the following password:

        ' or 1=1 and password='

I tried and within the first 50 hits I got in.

So easy to fix

[Heembo (916647)]

Here, let me help you with a little psudocode:

String sUserId = request.getParameter("user_id");
int userId = 0;
try {
        userId = checkInt(userId);
        if (userId < 0) throw exception;
} catch (Exception e) {
        exit();
}
User user = (User)session.getParameter("current_user");
if (user.getId() != userId) {
        exit();
}

Re:

[Tweenk (1274968)]

WTF? They should just use the session parameter to fetch the data, instead of putting this as a parameter. I can see a reason for this only if they use the same page to display info for admins who can view everyone. I have the impression that people are unwilling to trust the session mechanism, while I have built a site which uses it heavily and this allows me to simplify the code a good bit. I suppose the default session mechanism doesn't scale as well as putting everything in the request, but then you can

Re:

[Heembo (916647)]

Good point, I do agree with you that the userId should be taken out of the request and just pulled from session in many cases.

However, the userId might need to be implemented from the request as I have described in case you want to support administrative features where a superuser can access any account. That is why code of this nature is so common.

Re:

[Shados (741919)]

Super users being able to access any account can still be done through session or other server side mechanism :) The product we worked on at my previous job worked like that, and it went quite well too :)

Re:

[Heembo (916647)]

userId = checkInt(userId);

should be

userId = checkInt(sUserId );

This code checks that the userId from the request matches the current authenticated user in session. Thanks for your asshole comment. Have a nice day.

Google for "&user="

[giafly (926567)]

To find other sites that make the same beginners' error. Looks like mainly spammers selling blue pills.

Link [google.com]