German Survey Company Loses 41,000 Survey Records 122
mister_woods writes "It's not just governments that lose private data. Germany's Chaos Computer Club (CCC) reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants. By simply changing the customer ID number in the browser's address bar access could be gained to comprehensive survey results, including names, addresses, dates of birth, email addresses, phone numbers and much more sensitive data. A CCC spokesman described this as 'unprofessional, grossly negligent and above all deeply worrying' and sees this loss as a vindication for its calls for strict regulations for public and private sector data collectors."
Re:Not "Lost" (Score:5, Interesting)
Because companies who write code that badly also don't keep web logs.
there already is to some extent (Score:3, Interesting)
Apart from certain areas (possibly medical records) there aren't statutory fines, but companies can be held liable if through their negligence something bad actually happens. To reduce the chance of that happening, many spend money on pro-active measures immediately after a leak, which is in some ways a "fine", in that it costs them money, and so they rationally would like to avoid it happening. For example, after a former university of mine misplaced a bunch of records, they paid for two years of identity-theft and credit-monitoring through some service for everyone who was affected.
Re:Really? (Score:2, Interesting)
I posted anon because HPS is very very very sue happy, and I don't have the personal cash to front a law suit. What proof do you want? I will send you anything I can anonymously, but I won't risk a law suit from a company with more than a billion bucks in the bank.
We found this bug because our code that interfaced with their system had a small bug (transposed 0 and 1 in an array dereference) and we accidentally billed customers that were not ours through their system, called them about it, they were extremely combative, accused us of hacking, threatened lawsuits and shut down our account.
Re:How pathetic (Score:3, Interesting)
Wrong. You can still complete any surveys you want.
Just fill in wrong info. There's only one thing worse than having no information for a data collector: Being unable to discriminate between good and bogus data. It poisons your whole data pool.
Re:You know (Score:3, Interesting)
Expensive webmaster?
I'd rather guess they signed up one of those very unemployed and very desperate people that took some distance learning course during the dot.com bubble in hopes of getting the big bucks, something they couldn't at the janitor or bricklayer position they had before.
You'd be amazed how many people consider themselves a "systems administrator" today because they can click together a halfway decent network connection with the XP net wizard, but have not a hint of an idea what security is about, or how to keep people from viewing data they should have no access to. The way this was "hacked" shows it far too well.
I'm doing security audits. You would be amazed how many companies, even companies that actually do have some security conscience due to self interest (read: when their data is on the loose, they lose money because they actually want to sell that data), lack in security. There's servers with public access that are "free for all" (sure, there's login and everything, but failure to login does not keep you out), you have examples like the one here (if you have access to one set of data you have access to all of them if you know how to access them, and choosing a different user ID isn't rocket science), the list goes on.
The problem isn't that companies wouldn't want to have security. The problem is just that few are willing to pay for it. In comes some cheap moron that claims he can, and he spews that in the face of a boss who readily believes that TCP is some sort of three letter agency, so he gets signed up.
This is what's wrong here. I'm the last person asking for some sort of certificate (most of the IT certs you can get today are more the kind of "dump money here, pull cert out there"), but as long as the people hiring security personnel have no idea about security themselves, snakeoil vendors will have an easy life.
Re:How many more cases? (Score:3, Interesting)
Here's a nice test case: google for "customer login" and use the following password:
' or 1=1 and password='
I tried and within the first 50 hits I got in.