Slashdot Mirror

← Back to Stories (view on slashdot.org)

ICO Warns Toshiba Over Data Breach

Posted by samzenpus on from the do-better-next-time dept.

hypnosec writes "Toshiba Information Systems has been given a slap on the wrist by the Information Commissioner's Office (ICO), following a data spillage. This happened during an on-line competition that Toshiba organized last year. Back in September 2011, a concerned member of the public contacted the ICO and informed the body that some data pertaining to those registered for the competition was accessible. In fact, the personal details of 20 entrants were compromised in a security flaw on the site. Those details included names, addresses and dates of birth, along with other contact information. The ICO investigated and found that Toshiba's security measures weren't thorough enough, and hence, didn't detect the vulnerability — from a mistake, made by a third-party web designer. A fine hasn't been levied, but Toshiba has signed an undertaking to ensure this doesn't happen again."

27 comments

  1. ICO? by busyqth · · Score: 1

    What is the ICO, and why should we care? Why should Toshiba care?
    Does anyone care?

    1. Re:ICO? by scdeimos · · Score: 4, Informative

      LMGTFY... http://en.wikipedia.org/wiki/Information_Commissioner's_Office

    2. Re:ICO? by nomadic · · Score: 2

      Probably the best PS2 game ever made. http://en.wikipedia.org/wiki/Ico

    3. Re:ICO? by Anonymous Coward · · Score: 0, Funny

      The six scariest words you never, ever want to hear?

      "Hai, I be yo new neighboh"

    4. Re:ICO? by EdIII · · Score: 3, Interesting

      Ah yes, that explains it. They're British.....

      "No fine, but you promise not to do it again right?"

      Of course, if you are not favored it could be worse.

      Seriously? A signed paper? That's it? I can see the people at Toshiba rolling their eyes when they got it.

    5. Re:ICO? by Anonymous Coward · · Score: 0

      It means that if it happens again, then Toshiba will get the book thrown at them. (And a hefty penalty.)

    6. Re:ICO? by Anonymous Coward · · Score: 0

      An American's comment of course

    7. Re:ICO? by jimicus · · Score: 1

      Seriously? A signed paper? That's it? I can see the people at Toshiba rolling their eyes when they got it.

      The ICO has the power to levy serious fines without much in the way of judicial oversight, and they're not afraid to use this power. If you want to avoid paying the fine, you have to take them to court to get it overturned.

      Whenever a case like this happens, they write up a nice report in clear English explaining precisely what happened and publish it far and wide, along with details of what punishment they've enacted.

      Usually, the size of the punishment is related to:

      - How serious the breach was. A breach involving vulnerable people or including a lot of data will usually be more expensive than a breach of a dozen people's names and addresses (data that's on the electoral roll anyway, so is already pretty widely available).
      - How seriously the organisation responsible for the breach took it. An organisation that makes no effort to prevent recurrence and demonstrates that they don't really care about what happened will typically be fined a LOT more (and yes, how co-operative they were will be in the report).
      - What resulted in the breach taking place. An organisation that already has strong processes in place to prevent such a breach will get a much lower fine than an organisation which does not.

      Think of this signed piece of paper as a written warning. If it happens again, Toshiba can look forward to a swingeing fine and some very bad publicity indeed.

  2. I'm shocked (not really) by Cryophallion · · Score: 5, Informative

    So, a web developer that was hired from outside screwed up his code. That happens almost every day. If not far more often.

    Seriously, if companies were to get fined for every bad piece of code or stupid bobby tables vulnerability (obligatory xkcd reference), they would all go out of existence. Mistakes and bad code happen, especially with outside contactors. Are they going to start fining companies for not encrypting hard drives too?

    20 people COULD have been affected, and this is supposedly big news. However, thousands of people were affected by the far more intrusive credit card breaches that seem to happen almost monthly. I think the ICO should be focusing their resources elsewhere.

    1. Re:I'm shocked (not really) by DoofusOfDeath · · Score: 4, Insightful

      Seriously, if companies were to get fined for every bad piece of code or stupid bobby tables vulnerability (obligatory xkcd reference), they would all go out of existence

      Or they could slow down, and write less code, more carefully.

    2. Re:I'm shocked (not really) by Cryophallion · · Score: 4, Insightful

      I agree that would be far better. However, in reality, it sometimes fails. This can be due to feature creep, overly high workloads (esp at some sweatshop web companies, like HIT/Heritage used to be - I dealt with them once, and wish I could have run away, but it wasn't my money), a library that got changed, or even some junior developer committing his code by mistake and having it appear in production when he meant to send it to his super.

      SQL injection still appears to happen almost constantly, even though most web languages have very good safeguards against it, and high profile places still show vulnerabilities, so it is still high on the list of security flaws next to XSS.

      I've been on both sides - times when I have the time to write good clean code, which has everything completely buttoned up. But I've also been a victim of those times I echoed a variable in testing and it appeared in production when just the right situation arose. I'm not proud of it, but no one is perfect. Being up all night hunting down an obscure bug means sometimes you don't clean things out the way you should.

      I wish I had the leisure to take my time at it. However, reality can be the boss and the client screaming their heads off, as you try to fix a showstopper in a feature or form that was added last minute by sales due to a miscommunication, or unseen need. Companies are less people do more work, not the other way around.

    3. Re:I'm shocked (not really) by LordLucless · · Score: 1

      Seriously, if companies were to get fined for every bad piece of code or stupid bobby tables vulnerability (obligatory xkcd reference), they would all go out of existence.

      Good. Then there would be a space in the market for a competent company to take over.

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
    4. Re:I'm shocked (not really) by PopeRatzo · · Score: 2

      Or they could slow down, and write less code, more carefully.

      Mosts developers are not able to tell their boss or client that they want to "slow down, and write less code, more carefully" if they want to keep their jobs.

      I don't think it matters much that the developer was somebody that Toshiba hired and not a full-time Toshiba employee. Toshiba is still responsible. If you're going to keep users' information, you better be a little more careful. Or, set better standards for your contract workers.

      It's not that hard to have an online "contest" without putting users' personal data at risk. I'm guessing that many Slashdot users could come up with pretty foolproof ways of getting the job done.

      If we're going to allow these worldwide mega-corporations to exist, with fingers in all sorts of diverse pies, big and little, all over the place, then we're going to have to hold them to high standards. An oil-spill in the Gulf or a chemical spill in Bhopal or a data-spill in the metaverse, somebody needs to hold a great big Louisville slugger over the heads of these corporations. And the bigger the corporation, the bigger the bat.

      A "slap on the wrist" is not nearly as effective as 30 oz of white ash on the side of the head.

      --
      You are welcome on my lawn.
    5. Re:I'm shocked (not really) by Anonymous Coward · · Score: 0

      A "slap on the wrist" is not nearly as effective as 30 oz of white ash on the side of the head.

      Oooh yo! Why it gots ta be WHITE ash?!

    6. Re:I'm shocked (not really) by ciotog · · Score: 1

      Or they could slow down, and write less code, more carefully.

      Mosts developers are not able to tell their boss or client that they want to "slow down, and write less code, more carefully" if they want to keep their jobs.

      I like the part where you left out what they were responding to.

      The part where it was suggested to fine companies that allow bad code, which would be a motivation for the boss/client to allow the developers to slow down and write less code, more carefully.

      Leaving that out makes your argument much stronger.

    7. Re:I'm shocked (not really) by justforgetme · · Score: 1

      Being up all night hunting down an obscure bug means sometimes you don't clean things out the way you should

      True. And inevitable. If you write enough code under pressure you are bound to overlook something, no matter how much of a genius you are.
      Sadly competitive marketplace and clueless HR/MBA drones and accountants that are given free reign are the norm, so more and more work gets done like a race in stead of like a real development. What's next? Equipping the shareholders' kids with SCRUM and letting them loose on the devs?

      --
      -- no sig today
    8. Re:I'm shocked (not really) by AmiMoJo · · Score: 1

      Or they could slow down, and write less code, more carefully.

      Or just hire someone to do security testing. TFA implies there was some kind of automated vulnerability scanner involved, but clearly that isn't a substitute for a human being looking at it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    9. Re:I'm shocked (not really) by Anonymous Coward · · Score: 0

      We're already here. The problem is people will go to the cheapest guy first. When something screws up then they come back to us and it ends up costing them more than just doing right the first time.

    10. Re:I'm shocked (not really) by nhat11 · · Score: 0

      Eh not all programmers know how to write more secure code because that's not what's either taught in school or themselves.

    11. Re:I'm shocked (not really) by Cryophallion · · Score: 1

      If only that were the case. As usual, let's go with the car analagy. A person gets a ticket for speeding. That may slow them down for a week or two, but they will enevitably be speeding again when they are in a rush, or old habits take over. Fines are a slight deterrent, but they are in no way the most effective discipline method.

      Now, on to corporations. They are trying to make money. they want the lowest price. In fact, they are basically required to get it in most situations. They are told constantly by their investors that they need to maximize shareholder value. That means doing the most with the least. Actually, this doesn't just apply to corporations, here in America, I work with bidding to a lot of schools. I may do far better work, but if my price is $10 over the other guys, he wins, and does his shoddy install. This is maximizing their "investor" value (taxpayers).

      They are certainly not going to fund their own internal small web development team. Let's add up the prices. Let's say there are 2 people in it and a new manager. We'll say that the two devs make $50K/year, and the manager makes $60K. Then we tack on $25K per person for taxes and benefits. That's $185,000.00 per year for team, every single year. No way is that going to fly, if they only get fined $250,000.00 once per every 10 years or something.

      So, no, fines will not change things in corporate culture. It is a nice dream, but a dream nonetheless.

    12. Re:I'm shocked (not really) by Cryophallion · · Score: 1

      Amen. As a person who bids a lot, I've seen the shoddy guy win too many times, and then had to fix it.

  3. Hunger for personal details by wannabgeek · · Score: 2

    But I think the more pertinent question is, why did Toshiba have to collect so much personal details just for a competition? Why do they need the date of birth? Just ask for age, that too, only if necessary for some legal / regulatory reasons.

    --
    I'm much more funny, interesting and insightful than the moderators think
    1. Re:Hunger for personal details by Anonymous Coward · · Score: 0

      Usually it pertains to competitions/lotteries that you must be over a certain age to participate.
      But you are right in fact DOB is not even necessary just a checkbox saying I am of legal age to play this "game".

  4. ICO! by Anonymous Coward · · Score: 0

    So that's what he has been up to after escaping the castle.

  5. So Buttery by ChickenHax · · Score: 1

    My post probaly should be a new story, but anyway it is on the same lines of keeping personal information secure. Not to many years ago I worked for a food franchise that did buisness under a nation wide chain. Our product was fast pizza delivery (30 mins or less ring bells?). The corporation bought out a Point of Sale System (or rights of) and began redevoloping the program with input from various people of the company to make it user friendly and usable in our line of buisness. A clunky and slow POS system was something that we could not manage in our fast pace enviroment. It turned out really well on usablity and such but brought micromanaging to a buisness that did not require it which was not accepting very well at first. Enough of the jabber, what I was writing about is the lack of any security on the way back ups are done. There are no user logins other than a generic login for everyone to use and the administrator logins. The only user specific logins was in the POS system itself. The database was ran by MS SQL Server and the databases where not accesible to regular users of course. If they were encrypted I am not sure, but I am assuming they were not. The reason being I was snooping around under various public folders on the server and found the backup files for the databases. The first problem is I was able to access these and open these files with wordpad/notepad under the user login everyone knows. The worse problem is these backups are not encrypted in any way. You can easily browse through employee records and to my horror customer information, credit card numbers en al. Anyone with knowledge of the general user login (which includes all employees) can access these files. After notifiying the franchisee which was also a bit shocked that customer credit card numbers were being stored even though our credit card merchant agreement strickly forbid the storing of that information (atleast before he signed a new agreement with another merchant that handled internet transactions). It seems the area corporate supervisor was not to worried about this, so I took it to the forums. We had at the time a web forum that all employees could access for various reasons. New food promotions, general talk support ect. After making a post about this without responce from the corporation a forum mod finaly was able to forward the problem to one of the people that worked on the design team. It turns out these public accessable database files are part of the design... To allow the server administrator to make what ever semi perm backups , cd/dvd tape ect. And no they will not make changes to secure these databases as it will cost to much money to do. The sad thing which I brought up it cost 0$ to change where the backup file goes... never got a reply from that.

    1. Re:So Buttery by ChickenHax · · Score: 1

      What happened to my paragraph breaks :{}

  6. data spillage by SuperTechnoNerd · · Score: 1

    "a data spillage" I love that term. I am gonna start using that at work.
    What kind of mop do you think that would require?