German Survey Company Loses 41,000 Survey Records

mister_woods writes "It's not just governments that lose private data. Germany's Chaos Computer Club (CCC) reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants. By simply changing the customer ID number in the browser's address bar access could be gained to comprehensive survey results, including names, addresses, dates of birth, email addresses, phone numbers and much more sensitive data. A CCC spokesman described this as 'unprofessional, grossly negligent and above all deeply worrying' and sees this loss as a vindication for its calls for strict regulations for public and private sector data collectors."

How pathetic

[Darkness404]

How pathetic that these are the very sites that they make you have some ultra-secure password for because there is so much personal information on it and may even boast that the servers are stored in some nuclear bunker and mirrored in every country but yet they can't even enforce decent security on the site itself.

Re:How pathetic

I can get my f'ing medical records over the phone with 1/8th the information i need to even pay my f'ing cell phone bill.

Re:How pathetic

[omeomi]

Well, I certainly won't be completing any more German surveys...

Re:How pathetic

[Opportunist]

Wrong. You can still complete any surveys you want.

Just fill in wrong info. There's only one thing worse than having no information for a data collector: Being unable to discriminate between good and bogus data. It poisons your whole data pool.

Another day, another data leak.

[inotocracy]

When are these companies going to start getting fined for data leaks? I'd bet this sort of thing would be a lot less common if there was a huge price to pay, other than a useless apology note.

Re:Another day, another data leak.

[Hal_Porter]

What are you worried about? It's just bits. Information wants to be free. It's not like you own it or anything. Complaining about it being posted on the net will just lead to the Streisand Effect.

Everyone knows that security through obscurity is a bad model. In the Web 2.0 world the only sustainable business model is to make your Social Security number public and sell support on people who want to use it. E.g. if some dude in Nigeria is trying to apply for a credit card in your name he might get asked about your postal address and secret codeword. You could make a few bucks if you gave him the information, more if you applied for the credit card for him yourself.

And don't try to encrypt stuff. Studies show that 95% of Nigerian phishers want DRM free personal information.

Re:Another day, another data leak.

[jlarocco]

When are these companies going to start getting fined for data leaks? I'd bet this sort of thing would be a lot less common if there was a huge price to pay, other than a useless apology note.

Having the government impose a fine is not the answer. The *only* way companies will ever learn to properly secure consumer data is if consumers drive them out of business when they fuck it up. If consumers can't be bothered with 5 minutes of research to avoid companies with poor privacy practices, there's absolutely no incentive for companies to spend the money to respect privacy. A fine just increases the cost of doing business - meaning you'll pay even more to have them lose your data.

Re:Another day, another data leak.

[Rakishi]

Well the amount of data leaks would suddenly drop since companies would suddenly overlook it when data goes missing. After all they thought it was an empty hard drive and they'd be just as confused as everyone else when it turned out differently. In other words they'd simply not report them because reporting them would automatically give them a fine. So consumers get screwed in the end because they don't even get alerted when their data is stolen.

Not "Lost"

[mrroot]

it was possible for participants to read master data records and consumer profiles without bypassing even basic security measures. Access to the comprehensive survey results could be gained by simply changing the customer ID number in the browser's address bar.

The data was not lost, they failed to secure it. There is a difference between the two, although it doesn't make it any less of a problem. But headlines like this are misleading.

Furthermore the 41,000 number is misleading because there is no evidence supporting how many records were viewed using this method.

Re:Not "Lost"

[icepick72]

Furthermore the 41,000 number is misleading because there is no evidence supporting how many records were viewed using this method.

Because companies who write code that badly also don't keep web logs.

Horrible article title. Loses --- Exposes

[Noodles]

German Survey Company _Exposes_ 41,000 Survey Records would convey the real meaning of the article.

You know

[Iamthecheese]

that the expensive webmaster you just hired is actually a drunken lemur in disguise when...

Re:You know

[Opportunist]

Expensive webmaster?

I'd rather guess they signed up one of those very unemployed and very desperate people that took some distance learning course during the dot.com bubble in hopes of getting the big bucks, something they couldn't at the janitor or bricklayer position they had before.

You'd be amazed how many people consider themselves a "systems administrator" today because they can click together a halfway decent network connection with the XP net wizard, but have not a hint of an idea what security is about, or how to keep people from viewing data they should have no access to. The way this was "hacked" shows it far too well.

I'm doing security audits. You would be amazed how many companies, even companies that actually do have some security conscience due to self interest (read: when their data is on the loose, they lose money because they actually want to sell that data), lack in security. There's servers with public access that are "free for all" (sure, there's login and everything, but failure to login does not keep you out), you have examples like the one here (if you have access to one set of data you have access to all of them if you know how to access them, and choosing a different user ID isn't rocket science), the list goes on.

The problem isn't that companies wouldn't want to have security. The problem is just that few are willing to pay for it. In comes some cheap moron that claims he can, and he spews that in the face of a boss who readily believes that TCP is some sort of three letter agency, so he gets signed up.

This is what's wrong here. I'm the last person asking for some sort of certificate (most of the IT certs you can get today are more the kind of "dump money here, pull cert out there"), but as long as the people hiring security personnel have no idea about security themselves, snakeoil vendors will have an easy life.

That's nothing

I used to work at a web design agency a few years back. They had a single shopping cart system that they "re-used" (read: copy & pasted then altered to suit the site in question) for dozens of e-commerce sites. After processing an order, it would display the customer's entire details, including credit card information and billing address. Yes, it was vulnerable to this exact flaw. Increment/decrement the order number, and you get to see somebody else's details.

That's not the worst bit. The worst bit is when they "fixed" it. They did so by changing it to a POST request instead of a GET request, meaning the ID number didn't show up in the address bar. It was still just as vulnerable, it's just not as "discoverable" to the clients as it was before.

Posted AC because the company is sue-happy about former employees.

Solution: don't hand out your data

[nathan.fulton]

I'm not going to get into a debate over consumer and business responsibilities, but it seems to me that at a certain point, you just have to be constantly vigilant and aware if you want your data to be secure. This is a perfect example -- you don't have to take surveys. What's the benefit?

Re:Solution: don't hand out your data

[fuzzyfuzzyfungus]

Easy enough in this particular case, surveys are largely optional. Absolutely useless in the general case, though. I don't get to opt out of government data collection and storage, opting out of data collection and storage by utilities and financial institutions is possible but for most people only in a theoretical sense.

This is a rather weak special case, I agree; but it points to no general form ability to control disclosure of your data to a variety of entities. Thus, the only effective measures to prevent data leaks have to involve the storage end(and, ideally, lots and lots of punishment). Perhaps an online "pictures, names, home addresses, phone numbers, emails, social security numbers, and CVs of people responsible for private data breaches" gallery would be in order?

this is how common it is..

[swordfishBob]

It is established that an amazing (unknown)% of survey data is lost or released to unauthorized recipients. We'd tell you the percentage, but we lost the laptop with all records at the airport.

Not the worst I've seen...

We recently left our CC processor (a major company, processing more than 10 billion a year). Their online CC terminal had this exact flaw. You can store customer info (CC, address, name, etc) and get a "customer ID" for that customer. Well... no checks in their system to assure that the "customer" was yours, so you could increment, decrement away and grab CC numbers to your hearts content (more than 25 million CCs in the system). You could even pass a random "customer id" to the billing portion of the system and bill a random person's CC, no checks in that part either.

When we alerted them to this flaw, they cut off our service and disabled all of our accounts and threatened to sue us for "hacking" their system. To this day I don't believe it is fixed.

Heartland payment systems is the company...

"Bah" on Stupid Comments within Story Summaries.

[lancejjj]

"It's not just governments that lose private data.

Golly, I just assumed that governments agencies, such as "TJX", "HSBC", and "Radio Shack" lose data.

Really, does the writer really think that Slashdot readers don't read Slashdot? TJX and HSBC certainly aren't part of any government, yet there have been numerous reports about the loss of a ridiculous number of records.

As for Radio Shack - I'm pretty sure that the government is propping them up. Then again, the government seems to be propping up banks too. OK, I stand corrected. Never mind.

Re:"Bah" on Stupid Comments within Story Summaries

[Frosty+Piss]

As for Radio Shack - I'm pretty sure that the government is propping them up...

CIA front. Didn't you know that's where all the terrorists buy their bomb parts? Why do you think they insist on such detailed contact info for a $1.50 purchase?

Re:Horrible article title. Loses --- Exposes

[Tablizer]

Or simply: TNS Infratest/Emnid has lost control of 41,000 private data records.

Nah, "exposes" creates more vivid mental images.
     

How many more cases?

[JayTech]

Last year Global Test Market (www.globaltestmarket.com) had a similar exploit, which I found; I was able to access anyone's account information, including their password via their ID. I reported it to their IT department, it took them almost a month to fix. Everyone single one of their client's data on that site was exposed, and do you think the company notified the clients? Nope. It was as if they could care less. They never even gave me a pat on the back or anything. It's a wonder stuff like this doesn't happen more often, so many companies placing profits ahead of security.

Re:How many more cases?

[cerberusss]

Here's a nice test case: google for "customer login" and use the following password:

        ' or 1=1 and password='

I tried and within the first 50 hits I got in.

there already is to some extent

[Trepidity]

Apart from certain areas (possibly medical records) there aren't statutory fines, but companies can be held liable if through their negligence something bad actually happens. To reduce the chance of that happening, many spend money on pro-active measures immediately after a leak, which is in some ways a "fine", in that it costs them money, and so they rationally would like to avoid it happening. For example, after a former university of mine misplaced a bunch of records, they paid for two years of identity-theft and credit-monitoring through some service for everyone who was affected.

Re:Really?

I posted anon because HPS is very very very sue happy, and I don't have the personal cash to front a law suit. What proof do you want? I will send you anything I can anonymously, but I won't risk a law suit from a company with more than a billion bucks in the bank.

We found this bug because our code that interfaced with their system had a small bug (transposed 0 and 1 in an array dereference) and we accidentally billed customers that were not ours through their system, called them about it, they were extremely combative, accused us of hacking, threatened lawsuits and shut down our account.

Re:Really?

[pclminion]

If they are so sue happy what is preventing them in suing /. for giving defamatory information or helping in hacking their system and asking for the logs of the users.

Let them. That's not the AC's problem, is it?

I think a fine would help...

[Joce640k]

Then again, a fine won't help much because the people responsible wouldn't pay it, they'd just move to another company after this one went bust.

What's needed is a short stay in prison for the CEO responsible for overseeing the project.

A couple of convictions would see every company in the country take their data offline until some real security consultants were consulted.