German Survey Company Loses 41,000 Survey Records

mister_woods writes "It's not just governments that lose private data. Germany's Chaos Computer Club (CCC) reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants. By simply changing the customer ID number in the browser's address bar access could be gained to comprehensive survey results, including names, addresses, dates of birth, email addresses, phone numbers and much more sensitive data. A CCC spokesman described this as 'unprofessional, grossly negligent and above all deeply worrying' and sees this loss as a vindication for its calls for strict regulations for public and private sector data collectors."

How pathetic

[Darkness404]

How pathetic that these are the very sites that they make you have some ultra-secure password for because there is so much personal information on it and may even boast that the servers are stored in some nuclear bunker and mirrored in every country but yet they can't even enforce decent security on the site itself.

Another day, another data leak.

[inotocracy]

When are these companies going to start getting fined for data leaks? I'd bet this sort of thing would be a lot less common if there was a huge price to pay, other than a useless apology note [attrition.org].

Re:How pathetic

[Anonymous Coward]

I can get my f'ing medical records over the phone with 1/8th the information i need to even pay my f'ing cell phone bill.

Not "Lost"

[mrroot]

it was possible for participants to read master data records and consumer profiles without bypassing even basic security measures. Access to the comprehensive survey results could be gained by simply changing the customer ID number in the browser's address bar.

The data was not lost, they failed to secure it. There is a difference between the two, although it doesn't make it any less of a problem. But headlines like this are misleading.

Furthermore the 41,000 number is misleading because there is no evidence supporting how many records were viewed using this method.

Solution: don't hand out your data

[nathan.fulton]

I'm not going to get into a debate over consumer and business responsibilities, but it seems to me that at a certain point, you just have to be constantly vigilant and aware if you want your data to be secure. This is a perfect example -- you don't have to take surveys. What's the benefit?

Re:Solution: don't hand out your data

[fuzzyfuzzyfungus]

Easy enough in this particular case, surveys are largely optional. Absolutely useless in the general case, though. I don't get to opt out of government data collection and storage, opting out of data collection and storage by utilities and financial institutions is possible but for most people only in a theoretical sense.

This is a rather weak special case, I agree; but it points to no general form ability to control disclosure of your data to a variety of entities. Thus, the only effective measures to prevent data leaks have to involve the storage end(and, ideally, lots and lots of punishment). Perhaps an online "pictures, names, home addresses, phone numbers, emails, social security numbers, and CVs of people responsible for private data breaches" gallery would be in order?

Re:Another day, another data leak.

[jlarocco]

When are these companies going to start getting fined for data leaks? I'd bet this sort of thing would be a lot less common if there was a huge price to pay, other than a useless apology note.

Having the government impose a fine is not the answer. The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up. If consumers can't be bothered with 5 minutes of research to avoid companies with poor privacy practices, there's absolutely no incentive for companies to spend the money to respect privacy. A fine just increases the cost of doing business - meaning you'll pay even more to have them lose your data.

Re:Another day, another data leak.

[Rakishi]

Well the amount of data leaks would suddenly drop since companies would suddenly overlook it when data goes missing. After all they thought it was an empty hard drive and they'd be just as confused as everyone else when it turned out differently. In other words they'd simply not report them because reporting them would automatically give them a fine. So consumers get screwed in the end because they don't even get alerted when their data is stolen.

Re:Really?

[pclminion]

If they are so sue happy what is preventing them in suing /. for giving defamatory information or helping in hacking their system and asking for the logs of the users.

Let them. That's not the AC's problem, is it?

I think a fine would help...

[Joce640k]

Then again, a fine won't help much because the people responsible wouldn't pay it, they'd just move to another company after this one went bust.

What's needed is a short stay in prison for the CEO responsible for overseeing the project.

A couple of convictions would see every company in the country take their data offline until some real security consultants were consulted.

Re:Another day, another data leak.

[Anonymous Coward]

You just don't get it, do you? It's your responsibility, as the "owner" of that information, to make sure it stays private. If a person willingly hands over their private data to a company with a history of data loss, how important can the data really be?

It's you who 'doesn't get it'. Virtually all such companies appear to be equally careless with their customer information. And the 'full disclosure' of such data losses, which would be required if you were to have any chance of punishing the 'bad' companies does not exist. As a consequence of modern day life we are *forced* to do business with at least some of these companies and so they have no incentive to do better. This is the sort of thing where legal sanctions *are* necessary.