Slashdot Mirror


How Do You Handle the Discovery of a Web Site Disclosing Private Data?

An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?

4 of 230 comments (clear)

  1. Notify CTO, CFO & CEO offices by BoRegardless · · Score: 4, Funny

    Those people will definitely take your info and get it acted upon.

  2. Post the URL here... by Anonymous Coward · · Score: 5, Funny

    ... That way we can help, too.

    Also, and this is a bit off topic, but what high school did you go to and what's your mother's maiden name?

  3. Buy some suntain lotion by Vinegar+Joe · · Score: 5, Funny

    You've hacked a bank and now you're a terrorist. Expect a visit from the FBI and a taxpayer funded trip to Cuba.

    --
    "The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
  4. Re:Krebs by ArcadeMan · · Score: 4, Funny

    I agree. A friendly game of baseball is the perfect opportunity to discuss security issues with them.