Two web sites have been caught out by simple security flaws
which exposed customer data, in breach of the Data Protection Act.
The flaws on both a Compaq site and Official-Merchandise.co.uk were
identified by news site The Register.
Compaq’s e-commerce site athome.compaq.com and the UK sportswear
e-tailer official-merchandise.co.uk operated in similar ways. Both
sites allocated each customer a specific URL for checking his or
her account details such as name, address and telephone number.
Each URL included the order number. By simply changing the order
number in the URL, one customer could access the accounts of the
others. All customer data was held in an unencrypted database.
Failure to adequately secure such customer infomation
contravenes the Data Protection Act 1998 which provides that:
"Appropriate technical and organisational
measures shall be taken against unauthorised or unlawful processing
of personal data and against accidental loss or destruction of, or
damage to, personal data."
The Register noted that no credit card details were exposed and
that both sites acted quickly to repair the flaw when alerted to
the problem. The news site recommends that the sites should be
encoding their database queries and encrypting customer information
on secure servers.
