German Survey Company Loses 41,000 Survey Records 122
mister_woods writes "It's not just governments that lose private data. Germany's Chaos Computer Club (CCC) reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants. By simply changing the customer ID number in the browser's address bar access could be gained to comprehensive survey results, including names, addresses, dates of birth, email addresses, phone numbers and much more sensitive data. A CCC spokesman described this as 'unprofessional, grossly negligent and above all deeply worrying' and sees this loss as a vindication for its calls for strict regulations for public and private sector data collectors."
How pathetic (Score:3, Insightful)
Re: (Score:2, Insightful)
I can get my f'ing medical records over the phone with 1/8th the information i need to even pay my f'ing cell phone bill.
Re:How pathetic (Score:5, Funny)
Re: (Score:3, Interesting)
Wrong. You can still complete any surveys you want.
Just fill in wrong info. There's only one thing worse than having no information for a data collector: Being unable to discriminate between good and bogus data. It poisons your whole data pool.
Re: (Score:2)
A while ago, I started using some fake names for online surveys, then I added the name to my spam filter.
I get a whole lot less spam now.
Another day, another data leak. (Score:5, Insightful)
Re:Another day, another data leak. (Score:5, Funny)
What are you worried about? It's just bits. Information wants to be free. It's not like you own it or anything. Complaining about it being posted on the net will just lead to the Streisand Effect.
Everyone knows that security through obscurity is a bad model. In the Web 2.0 world the only sustainable business model is to make your Social Security number public and sell support on people who want to use it. E.g. if some dude in Nigeria is trying to apply for a credit card in your name he might get asked about your postal address and secret codeword. You could make a few bucks if you gave him the information, more if you applied for the credit card for him yourself.
And don't try to encrypt stuff. Studies show that 95% of Nigerian phishers want DRM free personal information.
Re:Another day, another data leak. (Score:5, Insightful)
Having the government impose a fine is not the answer. The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up. If consumers can't be bothered with 5 minutes of research to avoid companies with poor privacy practices, there's absolutely no incentive for companies to spend the money to respect privacy. A fine just increases the cost of doing business - meaning you'll pay even more to have them lose your data.
Re: (Score:1)
If they had stricter policies about data leaving the compound, or at least encrypting whatever media its on, a lot of this stuff could be avoided. There is no reason for companies to take thi
Re: (Score:2)
You just don't get it, do you? It's your responsibility, as the "owner" of that information, to make sure it stays private. If a person willingly hands over their private data to a company with a history of data loss, how important can the data really be? You wouldn't give your car keys to a known car thief, so why will you give your private data (and money) to a company with a h
Re: (Score:1, Insightful)
You just don't get it, do you? It's your responsibility, as the "owner" of that information, to make sure it stays private. If a person willingly hands over their private data to a company with a history of data loss, how important can the data really be?
It's you who 'doesn't get it'. Virtually all such companies appear to be equally careless with their customer information. And the 'full disclosure' of such data losses, which would be required if you were to have any chance of punishing the 'bad' companies
Re: (Score:2)
Oh shut the fuck up. Nobody is forcing you to buy stuff. Like this survey company goes around, holding people at gunpoint, telling them to give out their private info and take a survey? Give me a fucking break.
Can you provide even a single example where you simply *had* to buy some product or service from a company with poor data security.
Re: (Score:2)
Yup, the government. You're forced to give them data and they keep losing it. Other than that I'd like to ask how it is that you can know in advance which company is going to lose your data?
It's only your responsibility to keep your details secure if you have prior knowledge of what's going to happen to them. This is one reason why there should be legal protections.
Another is that companies will often change their behaviour for the worse, especially in times of financial difficulty. There need to be legal p
Re: (Score:2)
Most of the recent data losses in the UK have involved government data. One was for the agency paying support to poor families - they *need* that money and cannot go elsewhere. Another was the Army recruitment department: if you want to join the Army, there isn't another one you can choose because this one had poor data security.
Re: (Score:2)
The government keeps screwing up and losing your data, and your solution is MORE government? Besides that, where do you think the government is going to get money to pay those fines?
Re: (Score:2)
So the government is part of the problem. But you'd like to have government help fix it. That plan sounds like a winner.
I'd also love to know how you meaningfully fine a government agency. Would they stop working, pay the fine out of their current budget and raise taxes later? Or can they wait until after they've raised taxes to start paying the fine?
Re: (Score:2)
It may even lead to those companies who are best at hiding it to appear to be the best.
As a consequence of modern day life we are *forced* to do business with at least some of these companies and so they have no incentive to do better.
Re: (Score:2)
You wouldn't give your car keys to a known car thief
But you would give your car keys to the garage who's servicing the car. If they fail to secure the keys properly and someone steals your car then why shouldn't the garage be held responsible?
Re: (Score:2)
Would you have even taken your car there in the first place if you knew they had a history of having cars stolen out of the garage?
Re: (Score:2)
Would you have even taken your car there in the first place if you knew they had a history of having cars stolen out of the garage?
Most of the organisations who are losing data _don't_ have a history of losing data - there are just an awful lot of separate companies that have got crap security procedures which are being publicised for the first time.
Short of performing a full security audit on any company you hand any data to (clearly not feasible), what can you do? I certainly don't have a crystal ball th
Re: (Score:2)
Do you know why? It's because companies that lose data are never punished. Of the hundreds of data loss stories you've seen, how many of the companies involved have ever gone out of business because of it? How many have ever lost a significant portion of their customers? Why would a c
Re: (Score:2)
Do you know why? It's because companies that lose data are never punished.
You seem to be changing your argument - you originally argued that companies shouldn't be fined because it is the data owner's responsibility to make sure the organisations they give the data to have good security practices. My argument was that finding out how good an organisation's security is before an incident occurs isn't really feasible for most people. You now seem to have changed to being pro-punishment, and thus now support
Re: (Score:2)
The argument I've been making all along is that consumers should punish the offending companies by driving them out of business. I'm specifically arguing against the government getting involved in these cases because it shouldn't be necessary, limits freedom, wastes tax dollars, and encourages people to be irresponsible with their own data.
If consumers do what's in their best interest and a
Re: (Score:2)
Are you really this dense?
Is your argument really that insubstantial that you have to resort to hurling insults?
It's exactly the same idea if consumers drive the companies out of business for losing data, but without "big brother" looking out for everybody.
But that's just never going to happen - the majority of people are never going to consider the security of their data. Those of us who do care about security should not have to rely on everyone else to punish these organisations. The government's job is
Re: (Score:2)
Well, when I explain it half a dozen times, and you still don't seem to understand, I really have to wonder.
Re: (Score:2)
Is the government not supposed to represent the people anymore? If it's as you say, and people don't care about the privacy of their data, the government shouldn't care either.
As well as respecting the majority's wishes, the government is required to protect minority groups too... I guess the people who give a damn about their data security are a minority group.
Also, whilst the majority of people don't seem to give a damn about protecting their data themselves, they are going to give a damn when it is used
Re: (Score:2)
No... guess who *CHOOSES* to do business with organisations that have poor security? If you want a government babysitter, move to China. Everybody else here is happy with their freedom to do business with whomever they choose.
Re: (Score:2)
I don't know if you realize this, but in a democracy, the government is us. It is our servant, created for the specific purposes of dealing with antisocial behaviour and looking after us. It is perfect
Re: (Score:2)
You want the government to punish companies? But we are the government? So we are going to punish the companies? But we can't punish them by boycotting, driving them out of business and letting a responsib
I think a fine would help... (Score:3, Insightful)
Then again, a fine won't help much because the people responsible wouldn't pay it, they'd just move to another company after this one went bust.
What's needed is a short stay in prison for the CEO responsible for overseeing the project.
A couple of convictions would see every company in the country take their data offline until some real security consultants were consulted.
Re: (Score:2)
That might be overkill - putting the CEO of a major bank in prison could cause an collapse leading to a depression. Putting the CEO of the government into prison would cause major political upheavals would have massive knock-on effects, dependant upon political system.
Re: (Score:2)
That might be overkill - putting the CEO of a major bank in prison could cause an collapse leading to a depression.
If the bank is that fragile it's doomed anyway. He could also get hit by a bus.
Putting the CEO of the government into prison would cause major political upheavals would have massive knock-on effects, dependant upon political system.
It's about the smartest thing we could do in the USA, but we'd have to put the whole fucking cabinet in there with him.
Re: (Score:2)
That might be overkill - putting the CEO of a major bank in prison could cause an collapse leading to a depression.
If the bank is that fragile it's doomed anyway. He could also get hit by a bus.
Getting hit by a bus does not imply criminality. It is the implication that the organisation has had a crook at its head which does the harm, not the departure of any single individual. Bankers work very hard to look respectable, hence the marble foyers and double breasted suits (not both worn at the same time).
Putting the CEO of the government into prison would cause major political upheavals would have massive knock-on effects, dependant upon political system.
It's about the smartest thing we could do in the USA, but we'd have to put the whole fucking cabinet in there with him.
Far be it from me to disagree..
Re: (Score:1)
Those people whose data they lost are not their customers, and even if they were - 5 minutes/hours/days of research wouldn't have helped them, as this security leak was not published before and they don't have a history of (published) data loss.
Re: (Score:1)
Financial punishment imposed by government would be a good indication for the public as well that the particular company screwed up. The bigger the sum, the better headlines.
Many areas of technology are strictly regulated. Are there any specific obstacles in information technology area for having such regulations?
Re: (Score:1)
Joe Sixpack would not recognize a privacy issue if it was dancing on a table, wearing a pink tutu and singing "Privacy issues are here again.". Most people would not even know where to start looking for companies' track records on data safety. Most people simply look at cost (and maybe direct value) of the products they want.
A fine just increases the cost of doing business - meaning you'll pay even more to have them lose your data.
Yes, it would lead to increased pricing, which would drive customers to other companies. Exactly what one wants.
Re: (Score:2)
Let me know how that works out for you. Companies that provide/are supposed to protect medical history? Companies that provide/are supposed to protect medical history? Not likely to happen. The only way - and you can be sure that, regardless of the country in which this stuff happens this won't become required - to make a dent in this stuff is to mandate prison tim
Re: (Score:1)
Having the government impose a fine is not the answer. The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up.
Just like how consumers don't buy gas from Exxon-Mobile anymore after they spilled lots of oil in Alaska.
Re: (Score:1)
If consumers can't be bothered with 5 minutes of research to avoid companies with poor privacy practices, there's absolutely no incentive for companies to spend the money to respect privacy.
These are the same consumers who tolerate IE. When have lowered the barriers to entry such that the markets are broken. I don't know the answer, but the problem is obvious to anyone other than the layman.
Re: (Score:2)
The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up.
A good number of the data leaks/thefts have happened at companies that rarely, if ever, deal with the people whose info they've lost (data resellers, information storehouses/providers, etc). How does someone who's had their information "misplaced" stop supporting a company they've never done business with in the first place?
Re: (Score:2)
Maybe by not doing business with companies that do business with them?
Re: (Score:2)
I hope you don't want a mortgage (or any other financial service), then. Or vote. Or have any account with just about any company.
I wouldn't say it's impossible to not do business with companies that sell your information, but it's as close as you get in the real world. You also have to take into account all the public records that go into these databases. While public and not all-encompassing on their own, combined together they can paint a pretty good picture of who you are.
Re: (Score:2)
And how exactly am I supposed to find out about a company's poor privacy practices?
My bank has twice now sent me notices in the mail about security breaches at some vendor with whom I have transacted. Unfortunately the bank does not tell me who the vendor is so I may avoid them in the future.
It's really sad that the identify theft situation has gotten so out of control when there's an extremely simple fix. If an institution does not properly check someone's identity (by an in-person visit with govern
Re: (Score:2)
Well what do both of the companies have in common? They're both contractors for the bank that you're still using, despite their using contractors with shit privacy practices.
I'm aware that it's a pain in the ass, but if individuals won't put in the effort to safegaurd their own information, why s
Re:Another day, another data leak. (Score:5, Insightful)
Well the amount of data leaks would suddenly drop since companies would suddenly overlook it when data goes missing. After all they thought it was an empty hard drive and they'd be just as confused as everyone else when it turned out differently. In other words they'd simply not report them because reporting them would automatically give them a fine. So consumers get screwed in the end because they don't even get alerted when their data is stolen.
Re: (Score:1)
Re: (Score:1)
So make any unreported leaks fined by a considerably greater amount, once uncovered.
This will just turn into another exercise in cost/benefits analysis for them. If they figure they'll get caught one time out of twenty and that the fine for non-disclosure is ten times larger than the normal fine, they'll opt for being sneaky bastards every single time.
there already is to some extent (Score:3, Interesting)
Apart from certain areas (possibly medical records) there aren't statutory fines, but companies can be held liable if through their negligence something bad actually happens. To reduce the chance of that happening, many spend money on pro-active measures immediately after a leak, which is in some ways a "fine", in that it costs them money, and so they rationally would like to avoid it happening. For example, after a former university of mine misplaced a bunch of records, they paid for two years of identity-
Re: (Score:1)
Not "Lost" (Score:5, Insightful)
it was possible for participants to read master data records and consumer profiles without bypassing even basic security measures. Access to the comprehensive survey results could be gained by simply changing the customer ID number in the browser's address bar.
The data was not lost, they failed to secure it. There is a difference between the two, although it doesn't make it any less of a problem. But headlines like this are misleading.
Furthermore the 41,000 number is misleading because there is no evidence supporting how many records were viewed using this method.
Re:Not "Lost" (Score:5, Interesting)
Because companies who write code that badly also don't keep web logs.
Re: (Score:2)
Ok. So 41,000 could have been viewed, but only yours was.
Feeling any better now?
Re: (Score:1)
Of course, that's no evidence, but what are they supposed to do? Publish them?
Horrible article title. Loses --- Exposes (Score:5, Informative)
German Survey Company _Exposes_ 41,000 Survey Records would convey the real meaning of the article.
Re: (Score:2)
TNS Infratest/Emnid has lost control of 41,000 private data records.
Re: (Score:3, Funny)
Or simply: TNS Infratest/Emnid has lost control of 41,000 private data records.
Nah, "exposes" creates more vivid mental images.
Re: (Score:2)
OMG, data porn!
41,000 records doing it just for you, they have no shame and show you anything. Sign up now!
Given the behaviour of our governments, I'm sure some proffessional paranoiacs would get an instant boner.
Re: (Score:1)
Naw, more likely to think its about the Whitehouse.
Re: (Score:2)
Re: (Score:1)
The article on heise.de referencing this does not mention any losses.
The Same Problem, Yet Again (Score:1, Redundant)
I've written several white papers [thinkcomputer.com] and op-eds [aarongreenspan.com] about how this problem has affected various companies and government entities. Sadly, it never seems to go away.
You know (Score:3, Funny)
Re: (Score:3, Interesting)
Expensive webmaster?
I'd rather guess they signed up one of those very unemployed and very desperate people that took some distance learning course during the dot.com bubble in hopes of getting the big bucks, something they couldn't at the janitor or bricklayer position they had before.
You'd be amazed how many people consider themselves a "systems administrator" today because they can click together a halfway decent network connection with the XP net wizard, but have not a hint of an idea what security is ab
CSI my city (Score:2)
That's nothing (Score:5, Informative)
I used to work at a web design agency a few years back. They had a single shopping cart system that they "re-used" (read: copy & pasted then altered to suit the site in question) for dozens of e-commerce sites. After processing an order, it would display the customer's entire details, including credit card information and billing address. Yes, it was vulnerable to this exact flaw. Increment/decrement the order number, and you get to see somebody else's details.
That's not the worst bit. The worst bit is when they "fixed" it. They did so by changing it to a POST request instead of a GET request, meaning the ID number didn't show up in the address bar. It was still just as vulnerable, it's just not as "discoverable" to the clients as it was before.
Posted AC because the company is sue-happy about former employees.
this is how common it is.. (Score:2, Funny)
It is established that an amazing (unknown)% of survey data is lost or released to unauthorized recipients. We'd tell you the percentage, but we lost the laptop with all records at the airport.
Re: (Score:2)
You could easily have posted it under your name. This is by far not the only company that has this problem, you could easily claim you were talking about a completely different company and ... hey, why do YOU sue, don't tell me YOU had that problem too! :)
Solution: don't hand out your data (Score:3, Insightful)
Re:Solution: don't hand out your data (Score:5, Insightful)
This is a rather weak special case, I agree; but it points to no general form ability to control disclosure of your data to a variety of entities. Thus, the only effective measures to prevent data leaks have to involve the storage end(and, ideally, lots and lots of punishment). Perhaps an online "pictures, names, home addresses, phone numbers, emails, social security numbers, and CVs of people responsible for private data breaches" gallery would be in order?
OMG IE is a haxx0r. (Score:2)
Re: (Score:2)
Not just considering. They actually did it. Something their paranoid wheelchair didn't consider is that the internet doesn't care about borders, though, so it doesn't apply to me, and I can still provide security services for Germany.
But I think the URL line in browsers is soon to be outlawed.
Not the worst I've seen... (Score:5, Informative)
We recently left our CC processor (a major company, processing more than 10 billion a year). Their online CC terminal had this exact flaw. You can store customer info (CC, address, name, etc) and get a "customer ID" for that customer. Well... no checks in their system to assure that the "customer" was yours, so you could increment, decrement away and grab CC numbers to your hearts content (more than 25 million CCs in the system). You could even pass a random "customer id" to the billing portion of the system and bill a random person's CC, no checks in that part either.
When we alerted them to this flaw, they cut off our service and disabled all of our accounts and threatened to sue us for "hacking" their system. To this day I don't believe it is fixed.
Heartland payment systems is the company...
Re: (Score:2, Interesting)
I posted anon because HPS is very very very sue happy, and I don't have the personal cash to front a law suit. What proof do you want? I will send you anything I can anonymously, but I won't risk a law suit from a company with more than a billion bucks in the bank.
We found this bug because our code that interfaced with their system had a small bug (transposed 0 and 1 in an array dereference) and we accidentally billed customers that were not ours through their system, called them about it, they were extrem
Re: (Score:1)
If they are so sue happy what is preventing them in suing
Re: (Score:3, Insightful)
If they are so sue happy what is preventing them in suing /. for giving defamatory information or helping in hacking their system and asking for the logs of the users.
Let them. That's not the AC's problem, is it?
Re: (Score:2)
If he leaves out the company name, it's just an amusing story but achieves nothing.
If he puts in the company name, it might just get seen by their customers, who might then take their business elsewhere, thereby solving the problem.
Re: (Score:2)
If they are so sue happy what is preventing them in suing /. for giving defamatory information or helping in hacking their system and asking for the logs of the users.
Public exposure. If they'd sue Slashdot, you'd be sure many more people would become aware of their lax security than if some barely read anon comment merely mentions their name.
Remember: reporting about a problem without having very solid proof is shaky legal ground. However, reporting about an ongoing lawsuit, including the subject of said suit, is not dicey, because court documents themselves prove that the suit exist. So basically, by suing Slashdot, they'd give not only Slashdot themselves, but also a
Re: (Score:2)
Yes, why attribute blame to people/companies that actually screw up? Why would you even ask this question?
"Bah" on Stupid Comments within Story Summaries. (Score:4, Funny)
"It's not just governments that lose private data.
Golly, I just assumed that governments agencies, such as "TJX", "HSBC", and "Radio Shack" lose data.
Really, does the writer really think that Slashdot readers don't read Slashdot? TJX and HSBC certainly aren't part of any government, yet there have been numerous reports about the loss of a ridiculous number of records.
As for Radio Shack - I'm pretty sure that the government is propping them up. Then again, the government seems to be propping up banks too. OK, I stand corrected. Never mind.
Re:"Bah" on Stupid Comments within Story Summaries (Score:4, Funny)
CIA front. Didn't you know that's where all the terrorists buy their bomb parts? Why do you think they insist on such detailed contact info for a $1.50 purchase?
Re: (Score:2)
Re: (Score:1)
Re:"Bah" on Stupid Comments within Story Summaries (Score:2)
Re: (Score:1)
Blind government bashing is so rampant around here that it doesn't even need to be true to get props from a lot of readers.
That's the government's fault.
Re: (Score:2)
Well, that works the other way 'round too. Blind government bashing is likely to strike a target simply by there being so many that you're bound to hit one.
How many more cases? (Score:5, Informative)
Re: (Score:3, Interesting)
Here's a nice test case: google for "customer login" and use the following password:
' or 1=1 and password='
I tried and within the first 50 hits I got in.
Re: (Score:1)
Of course after giving them time to fix it, but a deadline gets things done faster.
Also, their customers might have liked to know their information should be assumed to having been compromised.
So easy to fix (Score:2)
Here, let me help you with a little psudocode:
String sUserId = request.getParameter("user_id");
int userId = 0;
try {
userId = checkInt(userId);
if (userId < 0) throw exception;
} catch (Exception e) {
exit();
}
User user = (User)session.getParameter("current_user");
if (user.getId() != userId) {
exit();
}
Re: (Score:1, Informative)
String sUserId = request.getParameter("user_id");
int userId = 0;
try {
userId = checkInt(userId);
if (userId < 0) throw exception;
} catch (Exception e) {
exit();
}
User user = (User)session.getParameter("current_user");
if (user.getId() != userId) {
exit();
}
The first line of your try block just runs a checkInt() on integer 0. Perhaps you mean to be checking sUserId rather than userId? Even once that issue is fixed, I don't see how your code snippet helps anything. For someone trying to help out with a security problem, you don't seem to be proving yourself to be very competent. :p
Re: (Score:2)
userId = checkInt(userId);
should be
userId = checkInt(sUserId );
This code checks that the userId from the request matches the current authenticated user in session. Thanks for your asshole comment. Have a nice day.
Re: (Score:2)
WTF? They should just use the session parameter to fetch the data, instead of putting this as a parameter. I can see a reason for this only if they use the same page to display info for admins who can view everyone. I have the impression that people are unwilling to trust the session mechanism, while I have built a site which uses it heavily and this allows me to simplify the code a good bit. I suppose the default session mechanism doesn't scale as well as putting everything in the request, but then you can
Re: (Score:2)
Good point, I do agree with you that the userId should be taken out of the request and just pulled from session in many cases.
However, the userId might need to be implemented from the request as I have described in case you want to support administrative features where a superuser can access any account. That is why code of this nature is so common.
Re: (Score:2)
Super users being able to access any account can still be done through session or other server side mechanism :) The product we worked on at my previous job worked like that, and it went quite well too :)
Re: (Score:2)
In order for a superuser to view or take over a specific user account; that superuser will need to select a user to view via some kind of request parameter.
Re: (Score:2)
Except that he can't, in your example, because a mismatch between the userId parameter and the user associated with the session causes the whole server to exit. Holy Denial of Service, Batman :)! Perhaps you meant "if (!user.isSuperUser() && !user.user.isId(userId))" ? Or perhaps even "if (!user.canAccessId(userID))" ? The
Re: (Score:2)
> causes the whole server to exit.
Dude, I was writing pseudo-code. Stop being an asshole. The point I was making is that the code to solve an issue of this nature is trivial; I was not trying to make it perfect, hence the term pseudo-code.
However, I agree with you 100% that the administrative utility should be separated from the normal user account, and therefor the standard user page would only need to grab the userid from the session. You point well taken.
Also be wary of RBAC calls like user.isSuperUse
Re: (Score:2)
If pointing out your errors insults you, that is unfortunate; but it doesn't make me or anyone else an asshole.
And pseudo-code doesn't mean code that has logical errors, it means a step-by-step presentation of an algorithm that's easily turned into actual code. And your "pseudo-code" bears an uncanny rese
Re: (Score:2)
Your smarmy little comments were not necessary. My original code stating that the userId from the request needed to be a positive integer that matched the current user in session illustrated that this is a simple problem to solve.
Google for "&user=" (Score:2)
Link [google.com]