Slashdot Mirror

← Back to Stories (view on slashdot.org)

ICO Warns Toshiba Over Data Breach

Posted by samzenpus on from the do-better-next-time dept.

hypnosec writes "Toshiba Information Systems has been given a slap on the wrist by the Information Commissioner's Office (ICO), following a data spillage. This happened during an on-line competition that Toshiba organized last year. Back in September 2011, a concerned member of the public contacted the ICO and informed the body that some data pertaining to those registered for the competition was accessible. In fact, the personal details of 20 entrants were compromised in a security flaw on the site. Those details included names, addresses and dates of birth, along with other contact information. The ICO investigated and found that Toshiba's security measures weren't thorough enough, and hence, didn't detect the vulnerability — from a mistake, made by a third-party web designer. A fine hasn't been levied, but Toshiba has signed an undertaking to ensure this doesn't happen again."

8 of 27 comments (clear)

  1. Re:ICO? by scdeimos · · Score: 4, Informative

    LMGTFY... http://en.wikipedia.org/wiki/Information_Commissioner's_Office

  2. I'm shocked (not really) by Cryophallion · · Score: 5, Informative

    So, a web developer that was hired from outside screwed up his code. That happens almost every day. If not far more often.

    Seriously, if companies were to get fined for every bad piece of code or stupid bobby tables vulnerability (obligatory xkcd reference), they would all go out of existence. Mistakes and bad code happen, especially with outside contactors. Are they going to start fining companies for not encrypting hard drives too?

    20 people COULD have been affected, and this is supposedly big news. However, thousands of people were affected by the far more intrusive credit card breaches that seem to happen almost monthly. I think the ICO should be focusing their resources elsewhere.

    1. Re:I'm shocked (not really) by DoofusOfDeath · · Score: 4, Insightful

      Seriously, if companies were to get fined for every bad piece of code or stupid bobby tables vulnerability (obligatory xkcd reference), they would all go out of existence

      Or they could slow down, and write less code, more carefully.

    2. Re:I'm shocked (not really) by Cryophallion · · Score: 4, Insightful

      I agree that would be far better. However, in reality, it sometimes fails. This can be due to feature creep, overly high workloads (esp at some sweatshop web companies, like HIT/Heritage used to be - I dealt with them once, and wish I could have run away, but it wasn't my money), a library that got changed, or even some junior developer committing his code by mistake and having it appear in production when he meant to send it to his super.

      SQL injection still appears to happen almost constantly, even though most web languages have very good safeguards against it, and high profile places still show vulnerabilities, so it is still high on the list of security flaws next to XSS.

      I've been on both sides - times when I have the time to write good clean code, which has everything completely buttoned up. But I've also been a victim of those times I echoed a variable in testing and it appeared in production when just the right situation arose. I'm not proud of it, but no one is perfect. Being up all night hunting down an obscure bug means sometimes you don't clean things out the way you should.

      I wish I had the leisure to take my time at it. However, reality can be the boss and the client screaming their heads off, as you try to fix a showstopper in a feature or form that was added last minute by sales due to a miscommunication, or unseen need. Companies are less people do more work, not the other way around.

    3. Re:I'm shocked (not really) by PopeRatzo · · Score: 2

      Or they could slow down, and write less code, more carefully.

      Mosts developers are not able to tell their boss or client that they want to "slow down, and write less code, more carefully" if they want to keep their jobs.

      I don't think it matters much that the developer was somebody that Toshiba hired and not a full-time Toshiba employee. Toshiba is still responsible. If you're going to keep users' information, you better be a little more careful. Or, set better standards for your contract workers.

      It's not that hard to have an online "contest" without putting users' personal data at risk. I'm guessing that many Slashdot users could come up with pretty foolproof ways of getting the job done.

      If we're going to allow these worldwide mega-corporations to exist, with fingers in all sorts of diverse pies, big and little, all over the place, then we're going to have to hold them to high standards. An oil-spill in the Gulf or a chemical spill in Bhopal or a data-spill in the metaverse, somebody needs to hold a great big Louisville slugger over the heads of these corporations. And the bigger the corporation, the bigger the bat.

      A "slap on the wrist" is not nearly as effective as 30 oz of white ash on the side of the head.

      --
      You are welcome on my lawn.
  3. Hunger for personal details by wannabgeek · · Score: 2

    But I think the more pertinent question is, why did Toshiba have to collect so much personal details just for a competition? Why do they need the date of birth? Just ask for age, that too, only if necessary for some legal / regulatory reasons.

    --
    I'm much more funny, interesting and insightful than the moderators think
  4. Re:ICO? by nomadic · · Score: 2

    Probably the best PS2 game ever made. http://en.wikipedia.org/wiki/Ico

  5. Re:ICO? by EdIII · · Score: 3, Interesting

    Ah yes, that explains it. They're British.....

    "No fine, but you promise not to do it again right?"

    Of course, if you are not favored it could be worse.

    Seriously? A signed paper? That's it? I can see the people at Toshiba rolling their eyes when they got it.