Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle the Discovery of a Web Site Disclosing Private Data?

Posted by samzenpus on from the what-to-do-and-what-not-to-do dept.

An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?

7 of 230 comments (clear)

  1. Notify CTO, CFO & CEO offices by BoRegardless · · Score: 4, Funny

    Those people will definitely take your info and get it acted upon.

  2. Post the URL here... by Anonymous Coward · · Score: 5, Funny

    ... That way we can help, too.

    Also, and this is a bit off topic, but what high school did you go to and what's your mother's maiden name?

    1. Re:Post the URL here... by mallyn · · Score: 3, Funny

      My mother's maiden name is Judy Garland and my high school is The Emerald City High School.

      --
      Most Respectfully Yours Mark Allyn Bellingham, Washington
  3. Buy some suntain lotion by Vinegar+Joe · · Score: 5, Funny

    You've hacked a bank and now you're a terrorist. Expect a visit from the FBI and a taxpayer funded trip to Cuba.

    --
    "The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
  4. Re:Krebs by MrBigInThePants · · Score: 3, Funny

    Absolutely. Tell lots of high profile people who loose lips. Hey, tell your favorite prostitute while you are at it!

    Blab about it on the internet on a very popular website also. That will increase your chances of being personally identified before you notify the appropriate people and ensure that the preemptive action they will take against you will not work. Alternatively they can also use that against you after the fact instead/as well.

    I would also suggest as "icing on the cake" to paint red circles of decreasing size around you anus to make targeting easier.

    Alternatively you could ignore the truly SHITTY advice here on slashdot and be discrete and anonymous.

  5. Confidence by Anonymous Coward · · Score: 2, Funny

    That's a confidential web forum that handles cases like this. Just provide the sensitive details and they'll take care of it from there. It's @ 4chan.org.

  6. Re:Krebs by ArcadeMan · · Score: 4, Funny

    I agree. A friendly game of baseball is the perfect opportunity to discuss security issues with them.

    --
    Get free satoshi (Bitcoin) and Dogecoins