German Survey Company Loses 41,000 Survey Records

mister_woods writes "It's not just governments that lose private data. Germany's Chaos Computer Club (CCC) reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants. By simply changing the customer ID number in the browser's address bar access could be gained to comprehensive survey results, including names, addresses, dates of birth, email addresses, phone numbers and much more sensitive data. A CCC spokesman described this as 'unprofessional, grossly negligent and above all deeply worrying' and sees this loss as a vindication for its calls for strict regulations for public and private sector data collectors."

4chan

if they need to find it they should just keep an eye on 4chan, someone will post it there in a few days

How pathetic

[Darkness404]

How pathetic that these are the very sites that they make you have some ultra-secure password for because there is so much personal information on it and may even boast that the servers are stored in some nuclear bunker and mirrored in every country but yet they can't even enforce decent security on the site itself.

Re:How pathetic

I can get my f'ing medical records over the phone with 1/8th the information i need to even pay my f'ing cell phone bill.

Re:How pathetic

[omeomi]

Well, I certainly won't be completing any more German surveys...

Re:How pathetic

[Opportunist]

Wrong. You can still complete any surveys you want.

Just fill in wrong info. There's only one thing worse than having no information for a data collector: Being unable to discriminate between good and bogus data. It poisons your whole data pool.

Re:How pathetic

I earn about $200 in cash and gift cards each month by taking surveys, plus maybe $5-10 in free products to test. None of these sites ask you for an "ultra-secure" password. One site even limits you to 8 characters. I would not be surprised to see "password" accepted as a password.

These sites are poorly put together and it is the rare survey that utilizes HTTPS. From what I can tell, these sites play fast and loose with your data.

As with any site, the real trick is to only give them the information that is actually necessary and fake any information that is not necessary. (Hint: No one needs your exact date of birth to fit you into the 18-25 year-old demographic.) And, of course, any information you're not comfortable falling into the wrong hands, simply don't share.

Another day, another data leak.

[inotocracy]

When are these companies going to start getting fined for data leaks? I'd bet this sort of thing would be a lot less common if there was a huge price to pay, other than a useless apology note.

Re:Another day, another data leak.

[Hal_Porter]

What are you worried about? It's just bits. Information wants to be free. It's not like you own it or anything. Complaining about it being posted on the net will just lead to the Streisand Effect.

Everyone knows that security through obscurity is a bad model. In the Web 2.0 world the only sustainable business model is to make your Social Security number public and sell support on people who want to use it. E.g. if some dude in Nigeria is trying to apply for a credit card in your name he might get asked about your postal address and secret codeword. You could make a few bucks if you gave him the information, more if you applied for the credit card for him yourself.

And don't try to encrypt stuff. Studies show that 95% of Nigerian phishers want DRM free personal information.

Re:Another day, another data leak.

[jlarocco]

When are these companies going to start getting fined for data leaks? I'd bet this sort of thing would be a lot less common if there was a huge price to pay, other than a useless apology note.

Having the government impose a fine is not the answer. The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up. If consumers can't be bothered with 5 minutes of research to avoid companies with poor privacy practices, there's absolutely no incentive for companies to spend the money to respect privacy. A fine just increases the cost of doing business - meaning you'll pay even more to have them lose your data.

Re:Another day, another data leak.

[Rakishi]

Well the amount of data leaks would suddenly drop since companies would suddenly overlook it when data goes missing. After all they thought it was an empty hard drive and they'd be just as confused as everyone else when it turned out differently. In other words they'd simply not report them because reporting them would automatically give them a fine. So consumers get screwed in the end because they don't even get alerted when their data is stolen.

Re:Another day, another data leak.

[inotocracy]

A large fine might help a bit with their security practices and prevent some of these incidents. Sure, there will still be accidents like these, but they may be further apart and less severe. Its pretty common to read about some employee losing a laptop, or tape drives containing large amounts of private information.

If they had stricter policies about data leaving the compound, or at least encrypting whatever media its on, a lot of this stuff could be avoided. There is no reason for companies to take this too seriously since they can just say "my bad" and its business as usual again.

Imagine if the company had to pay a fine of $5,000 or more, per customer involved in the data loss. My guess is they would be a bit more careful.

Re:Another day, another data leak.

Fine the companies? The root problem are the idiots that fill out these forms. Just fine these form-filling morons into oblivion and push them into bankruptcy. Oh Wait, I guess that happens already, and the soup lines will soon be full. Soilent green, It's made of unemployed people!

Re:Another day, another data leak.

[jlarocco]

There is no reason for companies to take this too seriously since they can just say "my bad" and its business as usual again.

You just don't get it, do you? It's your responsibility, as the "owner" of that information, to make sure it stays private. If a person willingly hands over their private data to a company with a history of data loss, how important can the data really be? You wouldn't give your car keys to a known car thief, so why will you give your private data (and money) to a company with a history of data loss?

It's our responsibility as consumers to punish companies that lose our's and other people's data by no longer doing business with them. We don't need the government looking over everybody's shoulder making sure we're all being treated okay. Believe it or not, it's up to us to look out for ourselves sometimes!

Imagine if the company had to pay a fine of $5,000 or more, per customer involved in the data loss. My guess is they would be a bit more careful.

My guess is they'd charge $5000 more per customer, for "extra security." And then lose the data anyway.

Re:Another day, another data leak.

[Sky+Cry]

So make any unreported leaks fined by a considerably greater amount, once uncovered.

Re:Another day, another data leak.

You just don't get it, do you? It's your responsibility, as the "owner" of that information, to make sure it stays private. If a person willingly hands over their private data to a company with a history of data loss, how important can the data really be?

It's you who 'doesn't get it'. Virtually all such companies appear to be equally careless with their customer information. And the 'full disclosure' of such data losses, which would be required if you were to have any chance of punishing the 'bad' companies does not exist. As a consequence of modern day life we are *forced* to do business with at least some of these companies and so they have no incentive to do better. This is the sort of thing where legal sanctions *are* necessary.

Re:Another day, another data leak.

[jlarocco]

As a consequence of modern day life we are *forced* to do business with at least some of these companies and so they have no incentive to do better.

Oh shut the fuck up. Nobody is forcing you to buy stuff. Like this survey company goes around, holding people at gunpoint, telling them to give out their private info and take a survey? Give me a fucking break.

Can you provide even a single example where you simply *had* to buy some product or service from a company with poor data security.

Re:Another day, another data leak.

[neumayr]

In this case, "driving them out of business" might be a little harder than you might imagine - they're a huge company with 14k employees in 70 countries, and their customers are governments, companies and press agencies.
Those people whose data they lost are not their customers, and even if they were - 5 minutes/hours/days of research wouldn't have helped them, as this security leak was not published before and they don't have a history of (published) data loss.

Re:Another day, another data leak.

[maguz]

Financial punishment imposed by government would be a good indication for the public as well that the particular company screwed up. The bigger the sum, the better headlines.

Many areas of technology are strictly regulated. Are there any specific obstacles in information technology area for having such regulations?

Re:Another day, another data leak.

[leomekenkamp]

Joe Sixpack would not recognize a privacy issue if it was dancing on a table, wearing a pink tutu and singing "Privacy issues are here again.". Most people would not even know where to start looking for companies' track records on data safety. Most people simply look at cost (and maybe direct value) of the products they want.

A fine just increases the cost of doing business - meaning you'll pay even more to have them lose your data.

Yes, it would lead to increased pricing, which would drive customers to other companies. Exactly what one wants.

Re:Another day, another data leak.

[ubrgeek]

The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up.

Let me know how that works out for you. Companies that provide/are supposed to protect medical history? Companies that provide/are supposed to protect medical history? Not likely to happen. The only way - and you can be sure that, regardless of the country in which this stuff happens this won't become required - to make a dent in this stuff is to mandate prison time for senior management. What's that? The CTO doesn't know enough about computers to make sure the database his folks built is secure? Mandate third-party audits for any product that is designed to store privacy information. Is that a guarantee that it'll work? Nope, but it's better than nothing.

Otherwise, grow up. "Voting with your wallet" doesn't work if a company like Nike loses your personal information. In their mind, your wallet contains pocket change.

Re:Another day, another data leak.

[Joker1980]

Its been said before, $1 million fine per piece of personal data lost, it would stop being collected by the end of the week.

Re:Another day, another data leak.

[Nursie]

Yup, the government. You're forced to give them data and they keep losing it. Other than that I'd like to ask how it is that you can know in advance which company is going to lose your data?

It's only your responsibility to keep your details secure if you have prior knowledge of what's going to happen to them. This is one reason why there should be legal protections.

Another is that companies will often change their behaviour for the worse, especially in times of financial difficulty. There need to be legal provisions in place to stop them selling data on.

Re:Another day, another data leak.

[FireFury03]

You wouldn't give your car keys to a known car thief

But you would give your car keys to the garage who's servicing the car. If they fail to secure the keys properly and someone steals your car then why shouldn't the garage be held responsible?

Re:Another day, another data leak.

[AlecC]

Most of the recent data losses in the UK have involved government data. One was for the agency paying support to poor families - they *need* that money and cannot go elsewhere. Another was the Army recruitment department: if you want to join the Army, there isn't another one you can choose because this one had poor data security.

Re:Another day, another data leak.

[Tikkun]

Having the government impose a fine is not the answer. The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up.

Just like how consumers don't buy gas from Exxon-Mobile anymore after they spilled lots of oil in Alaska.

Re:Another day, another data leak.

[mpe]

It's you who 'doesn't get it'. Virtually all such companies appear to be equally careless with their customer information. And the 'full disclosure' of such data losses, which would be required if you were to have any chance of punishing the 'bad' companies does not exist.

It may even lead to those companies who are best at hiding it to appear to be the best.

As a consequence of modern day life we are *forced* to do business with at least some of these companies and so they have no incentive to do better. This is the sort of thing where legal sanctions *are* necessary.

The problem with legal sanctions is that the worst offenders include government and government contractors. Where there is quite literally no competition.

Re:Another day, another data leak.

[OzoneLad]

So make any unreported leaks fined by a considerably greater amount, once uncovered.

This will just turn into another exercise in cost/benefits analysis for them. If they figure they'll get caught one time out of twenty and that the fine for non-disclosure is ten times larger than the normal fine, they'll opt for being sneaky bastards every single time.

Re:Another day, another data leak.

[ultranova]

It's our responsibility as consumers to punish companies that lose our's and other people's data by no longer doing business with them. We don't need the government looking over everybody's shoulder making sure we're all being treated okay. Believe it or not, it's up to us to look out for ourselves sometimes!

I don't know if you realize this, but in a democracy, the government is us. It is our servant, created for the specific purposes of dealing with antisocial behaviour and looking after us. It is perfectly valid to delegate the task of dealing with companies and forcing them to behave to the government.

It is natural in human societies for leaders to arise; hell, by promoting a course of action - boycotting these companies - you are setting yourself up as a leader. And a government is simply leadership made official, which means that its powers and responsibilities have been clearly defined, as is the process amending those definitions should the need arise, as well as the process of replacing the current leaders with new ones. It is foolish to suggest that cooperation - the tactic which has served us for millions of years and made us the undisputed rulers of this world and of which modern governments are perhaps the most evolved example - shows unwillingness to take personal responsibility.

It isn't a matter of having someone look over your shoulder, it's the matter of having someone cover your back.

Imagine if the company had to pay a fine of $5,000 or more, per customer involved in the data loss. My guess is they would be a bit more careful.

My guess is they'd charge $5000 more per customer, for "extra security." And then lose the data anyway.

It must be one altruistic company, then; for surely a for-profit corporation is already charging the amount that will maximize their profit, so only an altruistic company dedicated to the well-being of its customers over the profits of its shareholders would be able to pass fines to said customers. They could get $5,000 more per customer while still retaining their userbase, and yet they aren't doing so; truly they have a heart of purest gold, if not a wallet full of it.

The claim that "customers pay the fines" is simply rubbish. It is no doubt spread by the very companies who know they deserve to be fined to try to persuade the public opinion against imposing those fines, but a very basic analysis shows that it is impossible for a for-profit corporation to pass the fines to its customers, because it is already taking all it can from them. No, fines hurt the company shareholders, just like they should.

So fine the bastards until they learn their lesson or go bankrupt. Forcing people to care about the consequences of their actions to other people is exactly what the legal system is supposed to do.

Re:Another day, another data leak.

[BrunoUsesBBEdit]

If consumers can't be bothered with 5 minutes of research to avoid companies with poor privacy practices, there's absolutely no incentive for companies to spend the money to respect privacy.

These are the same consumers who tolerate IE. When have lowered the barriers to entry such that the markets are broken. I don't know the answer, but the problem is obvious to anyone other than the layman.

Re:Another day, another data leak.

[The+Good+Reverend]

The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up.

A good number of the data leaks/thefts have happened at companies that rarely, if ever, deal with the people whose info they've lost (data resellers, information storehouses/providers, etc). How does someone who's had their information "misplaced" stop supporting a company they've never done business with in the first place?

Re:Another day, another data leak.

[jlarocco]

The government keeps screwing up and losing your data, and your solution is MORE government? Besides that, where do you think the government is going to get money to pay those fines?

Re:Another day, another data leak.

[jlarocco]

Maybe by not doing business with companies that do business with them?

Re:Another day, another data leak.

[zolltron]

Not only does the government lose data, but there are plenty of companies that one is "forced" to do business with. Recently my (now former) health insurance company had a severe breach that led to literally hundreds of cases of identity theft.

The health insurance was provided by my school, and chosen by them largely based on cost. What can one do? Luckily I finished my degree, and so I'm no longer bound to that school. But if I was still there I would be without many options. A PhD student cannot just transfer, and I can only petition the school to change providers.

And what about cases where every single company in a given market is equally as bad. If one needs a service, one is forced to deal with a bad company.

While we like to imagine that we live in a world where all market transactions are voluntary, that really hasn't been the case for a long time.

Re:Another day, another data leak.

[The+Good+Reverend]

I hope you don't want a mortgage (or any other financial service), then. Or vote. Or have any account with just about any company.

I wouldn't say it's impossible to not do business with companies that sell your information, but it's as close as you get in the real world. You also have to take into account all the public records that go into these databases. While public and not all-encompassing on their own, combined together they can paint a pretty good picture of who you are.

Re:Another day, another data leak.

[jlarocco]

I don't know if you realize this, but in a democracy, the government is us. It is our servant, created for the specific purposes of dealing with antisocial behaviour and looking after us. It is perfectly valid to delegate the task of dealing with companies and forcing them to behave to the government.

You want the government to punish companies? But we are the government? So we are going to punish the companies? But we can't punish them by boycotting, driving them out of business and letting a responsible company take over? We have to fine them?

It must be one altruistic company, then; for surely a for-profit corporation is already charging the amount that will maximize their profit, so only an altruistic company dedicated to the well-being of its customers over the profits of its shareholders would be able to pass fines to said customers. They could get $5,000 more per customer while still retaining their userbase, and yet they aren't doing so; truly they have a heart of purest gold, if not a wallet full of it.

They're charging the amount that maximizes their profit *right now*, without a $5000 fine. If they risk a $5000 fine, they may decide to spend $4999 per customer securing the data. Or they may calculate they have a 50/50 chance of losing a customer's data, and charge $2500 extra per customer. In any event, the fine would just be an added cost of doing business. It would get factored into the final price just like every other cost of business.

Maybe you should spend less time trying to sound witty and more time thinking about what you're saying.

Re:Another day, another data leak.

[jlarocco]

But you would give your car keys to the garage who's servicing the car. If they fail to secure the keys properly and someone steals your car then why shouldn't the garage be held responsible?

Would you have even taken your car there in the first place if you knew they had a history of having cars stolen out of the garage?

Re:Another day, another data leak.

[h4ck7h3p14n37]

And how exactly am I supposed to find out about a company's poor privacy practices?

My bank has twice now sent me notices in the mail about security breaches at some vendor with whom I have transacted. Unfortunately the bank does not tell me who the vendor is so I may avoid them in the future.

It's really sad that the identify theft situation has gotten so out of control when there's an extremely simple fix. If an institution does not properly check someone's identity (by an in-person visit with government issued credentials), then that institution should be held liable and not the innocent party. Unfortunately some people feel that properly identifying people is too costly and have decided that we should just let the common man deal with getting his identity stolen.

This sort of legislation could even spawn an entire industry devoted to identity verification. Maybe it's simply not practical for the operator of a web-based service to verify someone's identity in person, instead the operator could subscribe to a service. This service would operate offices in various locations, do the in-person verification process and then clear the individual.

Re:Another day, another data leak.

[jlarocco]

My bank has twice now sent me notices in the mail about security breaches at some vendor with whom I have transacted. Unfortunately the bank does not tell me who the vendor is so I may avoid them in the future.

Well what do both of the companies have in common? They're both contractors for the bank that you're still using, despite their using contractors with shit privacy practices.

I'm aware that it's a pain in the ass, but if individuals won't put in the effort to safegaurd their own information, why should other people do it for them? You are the one with the most to lose if your private data is made public. No amount of fine is going to make up for the hassle of having your ID stolen.

Re:Another day, another data leak.

[jlarocco]

Not only does the government lose data,...

So the government is part of the problem. But you'd like to have government help fix it. That plan sounds like a winner.

I'd also love to know how you meaningfully fine a government agency. Would they stop working, pay the fine out of their current budget and raise taxes later? Or can they wait until after they've raised taxes to start paying the fine?

The health insurance was provided by my school, and chosen by them largely based on cost. What can one do?

You can do like millions of other people and pay for your own insurance. Or not have insurance at all.

While we like to imagine that we live in a world where all market transactions are voluntary, that really hasn't been the case for a long time.

Transactions in a free market are *always* voluntary. If it's not voluntary, it's not a free market. What do you think the "free" stands for?

Re:Another day, another data leak.

[FireFury03]

Would you have even taken your car there in the first place if you knew they had a history of having cars stolen out of the garage?

Most of the organisations who are losing data _don't_ have a history of losing data - there are just an awful lot of separate companies that have got crap security procedures which are being publicised for the first time.

Short of performing a full security audit on any company you hand any data to (clearly not feasible), what can you do? I certainly don't have a crystal ball that tells me which company will be the next to screw up.

Re:Another day, another data leak.

[jlarocco]

Most of the organisations who are losing data _don't_ have a history of losing data - there are just an awful lot of separate companies that have got crap security procedures which are being publicised for the first time.

Do you know why? It's because companies that lose data are never punished. Of the hundreds of data loss stories you've seen, how many of the companies involved have ever gone out of business because of it? How many have ever lost a significant portion of their customers? Why would a company spend money on data security if consumers clearly don't care either way? If your competitor loses data and stays in business, that means you can lose data and stay in business. They lose data, but they still have just as much money coming in as before. There's no motivation at all to protect private data, and that's why it keeps happening.

If a company loses 80% of their customers after anouncing data loss, other companies would pay attention.

I certainly don't have a crystal ball that tells me which company will be the next to screw up.

How will the government fining companies for data loss change that?

Re:Another day, another data leak.

[FireFury03]

Do you know why? It's because companies that lose data are never punished.

You seem to be changing your argument - you originally argued that companies shouldn't be fined because it is the data owner's responsibility to make sure the organisations they give the data to have good security practices. My argument was that finding out how good an organisation's security is before an incident occurs isn't really feasible for most people. You now seem to have changed to being pro-punishment, and thus now support my side of the debate - so which is it?

Not only is it hard to determine how good the security practices are of an organisation which has had no problems in the past, I also don't believe that you can claim that an organisation has got bad security because they had a single problem in the past - they may have learnt from their mistakes and thus have better security than organisations with a clean history. Sure, if an organisation has a history of regular security problems then they shouldn't be trusted, but that really isn't the case with most of these "data loss" stories.

How will the government fining companies for data loss change that?

Ah, and now you've gone back to your original argument that punishing organisations won't help - please make up your mind.

Fining organisations large amounts if they have poor security encourages them to adopt better security practices because it becomes cheaper to do so than pay the fine. If more organisations adopt better security practices because of the threat of large fines, customers won't _have_ to have a crystal ball to tell them which organisations to avoid.

I will admit that giving PII to a survey company is a bit crazy, but these data loss cases frequently involve organisations that have good reason to have this data - for example, you can't buy goods over the Internet without handing over various pieces of PII (credit card number, name, address, etc.), and you are legally required to submit information to government departments who then go and "lose" the data.

Re:Another day, another data leak.

[jlarocco]

You now seem to have changed to being pro-punishment, and thus now support my side of the debate - so which is it?

The argument I've been making all along is that consumers should punish the offending companies by driving them out of business. I'm specifically arguing against the government getting involved in these cases because it shouldn't be necessary, limits freedom, wastes tax dollars, and encourages people to be irresponsible with their own data.

If consumers do what's in their best interest and avoided companies with poor data security, the companies would notice and take pains to make sure their data is secure, because they would know data loss meant going out of business.

Ah, and now you've gone back to your original argument that punishing organisations won't help - please make up your mind.

Nope, same argument I've been making all along.

Fining organisations large amounts if they have poor security encourages them to adopt better security practices because it becomes cheaper to do so than pay the fine. If more organisations adopt better security practices because of the threat of large fines, customers won't _have_ to have a crystal ball to tell them which organisations to avoid.

Are you really this dense? It's exactly the same idea if consumers drive the companies out of business for losing data, but without "big brother" looking out for everybody. Businesses that want to stay in business would protect private data. It's a hell of a lot better motivation than a puny fine.

Re:Another day, another data leak.

[FireFury03]

Are you really this dense?

Is your argument really that insubstantial that you have to resort to hurling insults?

It's exactly the same idea if consumers drive the companies out of business for losing data, but without "big brother" looking out for everybody.

But that's just never going to happen - the majority of people are never going to consider the security of their data. Those of us who do care about security should not have to rely on everyone else to punish these organisations. The government's job is to protect people, or do you subscribe to the idea that we should abolish government sponsored law enforcement and just have vigilante justice instead?

It's a hell of a lot better motivation than a puny fine.

Who said anything about puny? I don't subscribe to the idea of shutting down a company for a single transgression, but I do think that fines should be big enough to make it worth the company's while to fix their security. This probably means you have to scale the fine according to the organisation involved, since a fine that would bankrupt a small company would be laughed off by a large international corporation.

Re:Another day, another data leak.

[jlarocco]

Is your argument really that insubstantial that you have to resort to hurling insults?

Well, when I explain it half a dozen times, and you still don't seem to understand, I really have to wonder.

But that's just never going to happen - the majority of people are never going to consider the security of their data. Those of us who do care about security should not have to rely on everyone else to punish these organisations. The government's job is to protect people, or do you subscribe to the idea that we should abolish government sponsored law enforcement and just have vigilante justice instead?

Is the government not supposed to represent the people anymore? If it's as you say, and people don't care about the privacy of their data, the government shouldn't care either.

Also, "protecting people" from themselves is the job of a socialist government. In free countries the government's job is to protect the people's rights. Then, the people get to use those rights in any way they want. Including stupid ways that aren't in their best interest, like doing business with companies with a history private data loss.

Who said anything about puny? I don't subscribe to the idea of shutting down a company for a single transgression, but I do think that fines should be big enough to make it worth the company's while to fix their security. This probably means you have to scale the fine according to the organisation involved, since a fine that would bankrupt a small company would be laughed off by a large international corporation.

Instead of paying the high up front cost for better security, companies will save the money and pay the fine. How does your plan get around that?

Re:Another day, another data leak.

[FireFury03]

Is the government not supposed to represent the people anymore? If it's as you say, and people don't care about the privacy of their data, the government shouldn't care either.

As well as respecting the majority's wishes, the government is required to protect minority groups too... I guess the people who give a damn about their data security are a minority group.

Also, whilst the majority of people don't seem to give a damn about protecting their data themselves, they are going to give a damn when it is used by criminals.

Also, "protecting people" from themselves is the job of a socialist government.

We're not talking about protecting people from themselves - we're talking about protecting people from organisations with poor security.

like doing business with companies with a history private data loss.

As I have repeatedly said before, very few of these companies have a *history* of data loss - there are just a lot of companies having a single incident. Just looking at a company's history does very little to tell you how secure your data is going to be.

Instead of paying the high up front cost for better security, companies will save the money and pay the fine. How does your plan get around that?

Because the fine can be be high enough that it is worth their while paying the ongoing security costs rather than risk the fine. This is much like insurance - you can opt to take out insurance, or you can opt to risk an enormous payout at some point in the future, most organisations take out insurance policies for lots of stuff so clearly they don't all choose to save money in the short term at the risk of a large cost later.

Re:Another day, another data leak.

[jlarocco]

We're not talking about protecting people from themselves - we're talking about protecting people from organisations with poor security.

No... guess who *CHOOSES* to do business with organisations that have poor security? If you want a government babysitter, move to China. Everybody else here is happy with their freedom to do business with whomever they choose.

As I have repeatedly said before, very few of these companies have a *history* of data loss - there are just a lot of companies having a single incident. Just looking at a company's history does very little to tell you how secure your data is going to be.

Can you name even a single company that has gone out of business because of data loss? Of the dozens, if not hundreds, of "Massive data loss..." articles that have been on Slashdot, can you point to a single instance where one of those companies has gone out of business? Certainly the vast majority of them have not. That sends a very clear signal to everybody, except you apparently, that protecting private data is not a worthwhile investment becase most people don't care. There's no incentive for companies to keep private data private because consumers have repeatedly shown they don't care if it gets lost. Companies lose data and stay in business == customers don't care about data loss. Why should I raise prices and spend money on data security if my customers don't care about it? It's really that simple.

Not "Lost"

[mrroot]

it was possible for participants to read master data records and consumer profiles without bypassing even basic security measures. Access to the comprehensive survey results could be gained by simply changing the customer ID number in the browser's address bar.

The data was not lost, they failed to secure it. There is a difference between the two, although it doesn't make it any less of a problem. But headlines like this are misleading.

Furthermore the 41,000 number is misleading because there is no evidence supporting how many records were viewed using this method.

Re:Not "Lost"

[mrbluze]

But headlines like this are misleading.

This is slashdot. What's your point?

Furthermore the 41,000 number is misleading

See above. You must be new here ;)

Re:Not "Lost"

[icepick72]

Furthermore the 41,000 number is misleading because there is no evidence supporting how many records were viewed using this method.

Because companies who write code that badly also don't keep web logs.

Re:Not "Lost"

No, the 41,000 number is not misleading.
The CCC did access and download 41,003 profiles.
Read about it in the german PDF (Link at the end of the page).

Re:Not "Lost"

[Opportunist]

Ok. So 41,000 could have been viewed, but only yours was.

Feeling any better now?

Re:Not "Lost"

[neumayr]

In the linked (german) article they explained how they got access to 41000 data sets.
Of course, that's no evidence, but what are they supposed to do? Publish them?

Re:Not "Lost"

Exactly, they are not lost. I made a backup... (Indeed the 41,000 figure IS accurate ;-))

Horrible article title. Loses --- Exposes

[Noodles]

German Survey Company _Exposes_ 41,000 Survey Records would convey the real meaning of the article.

The Same Problem, Yet Again

[ThinkComp]

I've written several white papers and op-eds about how this problem has affected various companies and government entities. Sadly, it never seems to go away.

You know

[Iamthecheese]

that the expensive webmaster you just hired is actually a drunken lemur in disguise when...

Re:You know

[Opportunist]

Expensive webmaster?

I'd rather guess they signed up one of those very unemployed and very desperate people that took some distance learning course during the dot.com bubble in hopes of getting the big bucks, something they couldn't at the janitor or bricklayer position they had before.

You'd be amazed how many people consider themselves a "systems administrator" today because they can click together a halfway decent network connection with the XP net wizard, but have not a hint of an idea what security is about, or how to keep people from viewing data they should have no access to. The way this was "hacked" shows it far too well.

I'm doing security audits. You would be amazed how many companies, even companies that actually do have some security conscience due to self interest (read: when their data is on the loose, they lose money because they actually want to sell that data), lack in security. There's servers with public access that are "free for all" (sure, there's login and everything, but failure to login does not keep you out), you have examples like the one here (if you have access to one set of data you have access to all of them if you know how to access them, and choosing a different user ID isn't rocket science), the list goes on.

The problem isn't that companies wouldn't want to have security. The problem is just that few are willing to pay for it. In comes some cheap moron that claims he can, and he spews that in the face of a boss who readily believes that TCP is some sort of three letter agency, so he gets signed up.

This is what's wrong here. I'm the last person asking for some sort of certificate (most of the IT certs you can get today are more the kind of "dump money here, pull cert out there"), but as long as the people hiring security personnel have no idea about security themselves, snakeoil vendors will have an easy life.

CSI my city

[ILuvRamen]

Okay let's pull some CSI crap and go back in time. I can hear it now! "Naw, just code it in a GET, that's easier. Nobody will ever just type something" (except in German obviously :P)

That's nothing

I used to work at a web design agency a few years back. They had a single shopping cart system that they "re-used" (read: copy & pasted then altered to suit the site in question) for dozens of e-commerce sites. After processing an order, it would display the customer's entire details, including credit card information and billing address. Yes, it was vulnerable to this exact flaw. Increment/decrement the order number, and you get to see somebody else's details.

That's not the worst bit. The worst bit is when they "fixed" it. They did so by changing it to a POST request instead of a GET request, meaning the ID number didn't show up in the address bar. It was still just as vulnerable, it's just not as "discoverable" to the clients as it was before.

Posted AC because the company is sue-happy about former employees.

Re:That's nothing

[Opportunist]

You could easily have posted it under your name. This is by far not the only company that has this problem, you could easily claim you were talking about a completely different company and ... hey, why do YOU sue, don't tell me YOU had that problem too! :)

Re:That's nothing

But you didn't even tell the name of the company...

Solution: don't hand out your data

[nathan.fulton]

I'm not going to get into a debate over consumer and business responsibilities, but it seems to me that at a certain point, you just have to be constantly vigilant and aware if you want your data to be secure. This is a perfect example -- you don't have to take surveys. What's the benefit?

Re:Solution: don't hand out your data

[fuzzyfuzzyfungus]

Easy enough in this particular case, surveys are largely optional. Absolutely useless in the general case, though. I don't get to opt out of government data collection and storage, opting out of data collection and storage by utilities and financial institutions is possible but for most people only in a theoretical sense.

This is a rather weak special case, I agree; but it points to no general form ability to control disclosure of your data to a variety of entities. Thus, the only effective measures to prevent data leaks have to involve the storage end(and, ideally, lots and lots of punishment). Perhaps an online "pictures, names, home addresses, phone numbers, emails, social security numbers, and CVs of people responsible for private data breaches" gallery would be in order?

OMG IE is a haxx0r.

[fuzzyfuzzyfungus]

Wasn't germany the country considering, or moving toward, some sort of draconian ban on hacking tools? If so, let's tell them that the URL modification trick only works in IE. Seriously, though, these constant data breaches are getting pathetic. Are we going to have to start shooting suits to get them to shape up?

Re:OMG IE is a haxx0r.

[Opportunist]

Not just considering. They actually did it. Something their paranoid wheelchair didn't consider is that the internet doesn't care about borders, though, so it doesn't apply to me, and I can still provide security services for Germany.

But I think the URL line in browsers is soon to be outlawed.

this is how common it is..

[swordfishBob]

It is established that an amazing (unknown)% of survey data is lost or released to unauthorized recipients. We'd tell you the percentage, but we lost the laptop with all records at the airport.

Not the worst I've seen...

We recently left our CC processor (a major company, processing more than 10 billion a year). Their online CC terminal had this exact flaw. You can store customer info (CC, address, name, etc) and get a "customer ID" for that customer. Well... no checks in their system to assure that the "customer" was yours, so you could increment, decrement away and grab CC numbers to your hearts content (more than 25 million CCs in the system). You could even pass a random "customer id" to the billing portion of the system and bill a random person's CC, no checks in that part either.

When we alerted them to this flaw, they cut off our service and disabled all of our accounts and threatened to sue us for "hacking" their system. To this day I don't believe it is fixed.

Heartland payment systems is the company...

Re:Not the worst I've seen...

[joost]

Tee hee, their site seems to be down. Wonder what caused it...

"Bah" on Stupid Comments within Story Summaries.

[lancejjj]

"It's not just governments that lose private data.

Golly, I just assumed that governments agencies, such as "TJX", "HSBC", and "Radio Shack" lose data.

Really, does the writer really think that Slashdot readers don't read Slashdot? TJX and HSBC certainly aren't part of any government, yet there have been numerous reports about the loss of a ridiculous number of records.

As for Radio Shack - I'm pretty sure that the government is propping them up. Then again, the government seems to be propping up banks too. OK, I stand corrected. Never mind.

Not surprising

Unfortunately, I've seen things like this before. Agencies of some rather large governments are also prone to this sort of thing.

Re:Horrible article title. Loses --- Exposes

[martin-boundary]

Or simply:

TNS Infratest/Emnid has lost control of 41,000 private data records.

Re:"Bah" on Stupid Comments within Story Summaries

[Frosty+Piss]

As for Radio Shack - I'm pretty sure that the government is propping them up...

CIA front. Didn't you know that's where all the terrorists buy their bomb parts? Why do you think they insist on such detailed contact info for a $1.50 purchase?

Re:Horrible article title. Loses --- Exposes

[Tablizer]

Or simply: TNS Infratest/Emnid has lost control of 41,000 private data records.

Nah, "exposes" creates more vivid mental images.
     

Re:"Bah" on Stupid Comments within Story Summaries

[east+coast]

Blind government bashing is so rampant around here that it doesn't even need to be true to get props from a lot of readers.

Re:"Bah" on Stupid Comments within Story Summaries

[FilterMapReduce]

Blind government bashing is so rampant around here that it doesn't even need to be true to get props from a lot of readers.

That's the government's fault.

How many more cases?

[JayTech]

Last year Global Test Market (www.globaltestmarket.com) had a similar exploit, which I found; I was able to access anyone's account information, including their password via their ID. I reported it to their IT department, it took them almost a month to fix. Everyone single one of their client's data on that site was exposed, and do you think the company notified the clients? Nope. It was as if they could care less. They never even gave me a pat on the back or anything. It's a wonder stuff like this doesn't happen more often, so many companies placing profits ahead of security.

Re:How many more cases?

[cerberusss]

Here's a nice test case: google for "customer login" and use the following password:

        ' or 1=1 and password='

I tried and within the first 50 hits I got in.

Re:How many more cases?

Indeed stupid that they do not at least say thank you and offer you something.

When I was working for an Internet Provider many years ago, a customer noticed that when you logged in on the X2 modems, you only needed a valid login. Logins where very easy to recognise (like user0001). This took USRobotics about a month to fix as the problem was there not with our radius.

I asked if they would give the person something, like a month or even a year free access, but nothing came of it, even though we know after investigation this was costing us serious money as many people used this.

I now feel sorry that I told this to the company, as the person wanted only to report it to me, not the company itself.

Posted anonymously, because I can imagine many people would still want to kick me for taking away their free access.

Re:How many more cases?

[neumayr]

Why didn't you publish this?
Of course after giving them time to fix it, but a deadline gets things done faster.
Also, their customers might have liked to know their information should be assumed to having been compromised.

Re:How many more cases?

[JayTech]

Good point, I didn't have an excuse not to reveal this information, which is why I made the previous post. But, I also didn't have a place to do it where people would actually listen; the places I posted to didn't care one iota, so I gave up.

So easy to fix

[Heembo]

Here, let me help you with a little psudocode:

String sUserId = request.getParameter("user_id");
int userId = 0;
try {
        userId = checkInt(userId);
        if (userId < 0) throw exception;
} catch (Exception e) {
        exit();
}
User user = (User)session.getParameter("current_user");
if (user.getId() != userId) {
        exit();
}

Re:So easy to fix

String sUserId = request.getParameter("user_id");
int userId = 0;
try {
                userId = checkInt(userId);
                if (userId < 0) throw exception;
} catch (Exception e) {
                exit();
}
User user = (User)session.getParameter("current_user");
if (user.getId() != userId) {
                exit();
}

The first line of your try block just runs a checkInt() on integer 0. Perhaps you mean to be checking sUserId rather than userId? Even once that issue is fixed, I don't see how your code snippet helps anything. For someone trying to help out with a security problem, you don't seem to be proving yourself to be very competent. :p

Re:So easy to fix

[Heembo]

userId = checkInt(userId);

should be

userId = checkInt(sUserId );

This code checks that the userId from the request matches the current authenticated user in session. Thanks for your asshole comment. Have a nice day.

Re:So easy to fix

[Tweenk]

WTF? They should just use the session parameter to fetch the data, instead of putting this as a parameter. I can see a reason for this only if they use the same page to display info for admins who can view everyone. I have the impression that people are unwilling to trust the session mechanism, while I have built a site which uses it heavily and this allows me to simplify the code a good bit. I suppose the default session mechanism doesn't scale as well as putting everything in the request, but then you can write your own session handlers which use a DBMS of your choice.

Re:So easy to fix

[Heembo]

Good point, I do agree with you that the userId should be taken out of the request and just pulled from session in many cases.

However, the userId might need to be implemented from the request as I have described in case you want to support administrative features where a superuser can access any account. That is why code of this nature is so common.

Re:So easy to fix

[Shados]

Super users being able to access any account can still be done through session or other server side mechanism :) The product we worked on at my previous job worked like that, and it went quite well too :)

Re:So easy to fix

[Heembo]

In order for a superuser to view or take over a specific user account; that superuser will need to select a user to view via some kind of request parameter.

Re:So easy to fix

[ultranova]

However, the userId might need to be implemented from the request as I have described in case you want to support administrative features where a superuser can access any account.

Except that he can't, in your example, because a mismatch between the userId parameter and the user associated with the session causes the whole server to exit. Holy Denial of Service, Batman :)! Perhaps you meant "if (!user.isSuperUser() && !user.user.isId(userId))" ? Or perhaps even "if (!user.canAccessId(userID))" ? The last option pushes access control for users into the User class, where it IMHO belongs, rather than having it duplicated in every servlet.

In any case, it would probably be better to have a separate administrative utility, rather than mixing it with normal user code. That way there's less of a danger that you accidentally expose more functionality than you should to ordinary mortals.

Re:So easy to fix

[Heembo]

> causes the whole server to exit.

Dude, I was writing pseudo-code. Stop being an asshole. The point I was making is that the code to solve an issue of this nature is trivial; I was not trying to make it perfect, hence the term pseudo-code.

However, I agree with you 100% that the administrative utility should be separated from the normal user account, and therefor the standard user page would only need to grab the userid from the session. You point well taken.

Also be wary of RBAC calls like user.isSuperUser(). Most productizied/enterprise applications really mandate data-layer-access control calls like:

user.hasAccess(entity, function);

If you start hard-coding roles into your application and need to change that policy, you will need to change code. But if you make calls like:

user.hasAccess(Organization(2), "editOrg");

you can then change your access control policy without needing to change code.

Re:So easy to fix

[ultranova]

Dude, I was writing pseudo-code. Stop being an asshole. The point I was making is that the code to solve an issue of this nature is trivial; I was not trying to make it perfect, hence the term pseudo-code.

If pointing out your errors insults you, that is unfortunate; but it doesn't make me or anyone else an asshole.

And pseudo-code doesn't mean code that has logical errors, it means a step-by-step presentation of an algorithm that's easily turned into actual code. And your "pseudo-code" bears an uncanny resemblance to Java :).

However, you did certainly demonstrate why things like the article describes happen: trivial problems aren't necessarily so trivial to solve right, especially if the guy trying to solve them thinks they're trivial and not really worth giving much thought to ;).

If you start hard-coding roles into your application and need to change that policy, you will need to change code. But if you make calls like:

Yes, you are right, ACL's are better.

Re:So easy to fix

[Heembo]

Your smarmy little comments were not necessary. My original code stating that the userId from the request needed to be a positive integer that matched the current user in session illustrated that this is a simple problem to solve.

Really?

[a_claudiu]

Maybe your story is true, maybe you are an AC from another company. I don't see why are you moded informative, in the moment when you are accusing anonymously without proof you are just a troll.

Re:Really?

I posted anon because HPS is very very very sue happy, and I don't have the personal cash to front a law suit. What proof do you want? I will send you anything I can anonymously, but I won't risk a law suit from a company with more than a billion bucks in the bank.

We found this bug because our code that interfaced with their system had a small bug (transposed 0 and 1 in an array dereference) and we accidentally billed customers that were not ours through their system, called them about it, they were extremely combative, accused us of hacking, threatened lawsuits and shut down our account.

Re:Really?

[a_claudiu]

I understand your reason for being AC and I even consider the story credible but I don't understand the reason for posting the company name.

If they are so sue happy what is preventing them in suing /. for giving defamatory information or helping in hacking their system and asking for the logs of the users.

Re:Really?

[pclminion]

If they are so sue happy what is preventing them in suing /. for giving defamatory information or helping in hacking their system and asking for the logs of the users.

Let them. That's not the AC's problem, is it?

Re:Really?

[badfish99]

If he leaves out the company name, it's just an amusing story but achieves nothing.
If he puts in the company name, it might just get seen by their customers, who might then take their business elsewhere, thereby solving the problem.

Re:Really?

[ArsenneLupin]

If they are so sue happy what is preventing them in suing /. for giving defamatory information or helping in hacking their system and asking for the logs of the users.

Public exposure. If they'd sue Slashdot, you'd be sure many more people would become aware of their lax security than if some barely read anon comment merely mentions their name.

Remember: reporting about a problem without having very solid proof is shaky legal ground. However, reporting about an ongoing lawsuit, including the subject of said suit, is not dicey, because court documents themselves prove that the suit exist. So basically, by suing Slashdot, they'd give not only Slashdot themselves, but also about any other news outlet carte blanche to air this dirty laundry...

Re:Really?

[mgblst]

Yes, why attribute blame to people/companies that actually screw up? Why would you even ask this question?

Re:Horrible article title. Loses --- Exposes

so does "lost control."

there already is to some extent

[Trepidity]

Apart from certain areas (possibly medical records) there aren't statutory fines, but companies can be held liable if through their negligence something bad actually happens. To reduce the chance of that happening, many spend money on pro-active measures immediately after a leak, which is in some ways a "fine", in that it costs them money, and so they rationally would like to avoid it happening. For example, after a former university of mine misplaced a bunch of records, they paid for two years of identity-theft and credit-monitoring through some service for everyone who was affected.

Moderators: Please note

Please do not grant moderation points to the person posting under this account. Read this before you do.

Must be a fake

I thought incompetence and negligence was the sole province of government. This article must be a fake or the government must be to blame somehow

Re:Horrible article title. Loses --- Exposes

[Tablizer]

Naw, more likely to think its about the Whitehouse.

I think a fine would help...

[Joce640k]

Then again, a fine won't help much because the people responsible wouldn't pay it, they'd just move to another company after this one went bust.

What's needed is a short stay in prison for the CEO responsible for overseeing the project.

A couple of convictions would see every company in the country take their data offline until some real security consultants were consulted.

Re:I think a fine would help...

[AlecC]

That might be overkill - putting the CEO of a major bank in prison could cause an collapse leading to a depression. Putting the CEO of the government into prison would cause major political upheavals would have massive knock-on effects, dependant upon political system.

Re:I think a fine would help...

[drinkypoo]

That might be overkill - putting the CEO of a major bank in prison could cause an collapse leading to a depression.

If the bank is that fragile it's doomed anyway. He could also get hit by a bus.

Putting the CEO of the government into prison would cause major political upheavals would have massive knock-on effects, dependant upon political system.

It's about the smartest thing we could do in the USA, but we'd have to put the whole fucking cabinet in there with him.

Re:I think a fine would help...

[AlecC]

That might be overkill - putting the CEO of a major bank in prison could cause an collapse leading to a depression.

If the bank is that fragile it's doomed anyway. He could also get hit by a bus.

Getting hit by a bus does not imply criminality. It is the implication that the organisation has had a crook at its head which does the harm, not the departure of any single individual. Bankers work very hard to look respectable, hence the marble foyers and double breasted suits (not both worn at the same time).

Putting the CEO of the government into prison would cause major political upheavals would have massive knock-on effects, dependant upon political system.

It's about the smartest thing we could do in the USA, but we'd have to put the whole fucking cabinet in there with him.

Far be it from me to disagree..

Re:"Bah" on Stupid Comments within Story Summaries

[Opportunist]

Well, that works the other way 'round too. Blind government bashing is likely to strike a target simply by there being so many that you're bound to hit one.

Re:Horrible article title. Loses --- Exposes

[Opportunist]

OMG, data porn!

41,000 records doing it just for you, they have no shame and show you anything. Sign up now!

Given the behaviour of our governments, I'm sure some proffessional paranoiacs would get an instant boner.

Re:Horrible article title. Loses --- Exposes

[shri]

TNS is a worldwide company. I'd seriously hope that they don't use the same software everywhere in the world.

Google for "&user="

[giafly]

To find other sites that make the same beginners' error. Looks like mainly spammers selling blue pills.

Link

Strict regulations? what a joke...

Call for strict regulations? come on, no regulation is going to make people smarter. The mediocre guys who made that web application are going to carry on producing crap.

If they did it on purpose, strict regulations would be a solution. It's just that they are stupid, there's no cure.

Re:How pathetic [pollute information]

I entered an incorrect age (much older) on several online surveys and now get AARP and Depends adverts on my spam e-mail account. I wonder what would happen if I started entering requests for information along the lines of "like an elephants trunk"? This is like using the TrackMeNot firefox add-on to pollute web search tracking. I just let it run day and night.

Re:Horrible article title. Loses --- Exposes

[bdraschk]

While /. headlines are often called inaccurate, this time it's not the fault of the contributor. Both versions (English and German) of the article at ccc.de claim the data was "lost".
The article on heise.de referencing this does not mention any losses.

Re:"Bah" on Stupid Comments within Story Summaries

[drinkypoo]

I suppose they get the other parts at Kragen, they always want my phone number. (I just tell them I'll keep my fucking receipt, unless it's on a lifetime part on a car I plan to keep, then sometimes I knuckle under and give it to them. They print that shit on thermal paper, the whole thing can turn black and then where is your warranty?)

Re:How pathetic [pollute information]

[Opportunist]

A while ago, I started using some fake names for online surveys, then I added the name to my spam filter.

I get a whole lot less spam now.

Re:"Bah" on Stupid Comments within Story Summaries

[dontPanik]

Like anything at radio shack costs 1.50. A simple cable always seems to run me like 7.50

A Spokesman From The German Company Said....

[pandrijeczko]

"Vell, zats survey zese zings happen!"