How Do You Handle the Discovery of a Web Site Disclosing Private Data?

An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?

Re:Notify CTO, CFO & CEO offices

[AK+Marc]

I worked for a 10,000+ person company, the CEO read the emails identified by his secretary as important. I worked for a 200+ person tech company where the CTO read some of the emails the secretary printed out for him. He didn't have a computer (not in the office, and not at home). If he sent an email, he dictated it to his secretary, and she would then send it for him.

For a 5-man company, you may find CEOs read their own emails. For larger than that, the CEOs don't read emails. The few I know that did, used their personal email for business, and the business email was essentially forwarded to the info@ email box.

I've found that snail mail got insanely quick response. It would get to the CEO and be read. Only obvious advertisements would be withheld by helpers, and even then not aggressively so.

Get off my lawn

[fulldecent]

I was in a similar situation a few years ago. It involved write access to other people's brokerage accounts.

FINRA, SEC, and FBI are all good points of contact and they have a straightforward complaint/action process. Assuming that you mailed a letter to the CEO first. Otherwise, I just now post live exploits to my blog at http://privacylog.blogspot.com... and usually give the vendor a heads up.

You will not get credit for the find. The TLAs will not invite you to give a speech. You will not get a career out of this, or even consulting money. Your end game is getting the thing fixed and moving on. Do this by posting your story which proves how innocent you are and giving the people an honest chance to fix it. Imagine you are in front of a jury of idiots. If you are saying "I wrote down this URL, then I typed it back in and some else's bank records came up... then I found out I made a typo". This is a perfectly reasonable story, there is nothing to be afraid of.

Re:If you're in the United States, get a lawyer

Personally if it were me, I agree with the statement get a lawyer, but for different reasons. I'd immediately sue them. In a court of law you've now put them on the defensive. If they try to take legal action against you, you have that you discovered a flaw in their system, and immediately held them responsible. If they try to claim you were doing anything malicious, then they have to admit wrong doing and plead guilty to your lawsuit. And in your defense case, then it looks like you happened to find the flaw, was furious and took legal recourse against them.

It may not make technical logic, but as far as I can tell in the legal world, putting them on the defensive as soon as possible is the best move you can do.

Re:Krebs

[Jane+Q.+Public]

Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.

Don't be so sure.

I had a similar problem with a bank back in 2000-2001. I called their customer service dept. and they put me in contact with the IT dept. I explained that their web banking portal was spewing private information all over the place. (I was quite alarmed, since I had noticed this when doing my own online banking.) They said they'd see to it right away.

A couple of weeks go by, it's still the same. Now, mind you, this was a MAJOR leak to anybody who knew about it. Arguably worse than OP's problem. So I called them again. I was assured that they were right on top of it.

After about another month went by, I went into the main branch of the bank, and SHOWED this to one of the managers. He seemed quite concerned. Another couple of months go by... nothing.

I finally called them up and said if they didn't fix the problem, I was going to the newspapers with it. It didn't faze them. I actually did take it to the local paper, and they weren't interested in the story. (Turned out later, they were best buds with this particular bank.)

Anyway, long story short: they did nothing. It took them a full year and a half to fix the problem. If I had been an unethical person, I could have emptied out the accounts of MANY people over that time.

Re:Krebs

[camperdave]

Banks are regulated (at least, they are around here), so take it to the regulatory commission if the bank themselves don't do anything. Also, for most companies, unless it is in writing, it didn't happen. Don't call. Snail-mail.

Re:Krebs

[AchilleTalon]

Having written the on-line banking communication protocol of a bank back in 1995 I can assure you they were not taking security seriously. I explicitly asked about requirements for encryption and they had none. They didn't want to bother with encryption because the infrastructure was running on dialup lines connected directly to their infrastructure and they wanted to be the first bank to make on-line banking available to its customers. At this time, the internet was in its infancy, hence the choice for the dialup infrastructure, and everyone was subscribing dialup lines for the Internet access DSL and cable-modem was still waiting to be invented. It was even Windows 3 and OS/2.

Re:Krebs

[cusco]

In the last '90s I worked as System Operator for a company which sent several thousand automated account renewals to credit card companies each month. We had been sending 9-track tapes via Fed Ex, and I was tasked with converting all these to digital transfers. We ended up with a mish-mash of different methods, dialup modem, encrypted email attachments, etc. but American Express had a rather unique approach.

They had us FTP an unencrypted, unzipped text file to a folder with our account number on their ftp site. Logged in as anonymous. With full access to all the other folders showing all their other customers' data transfers. They didn't clean up the folders either, so some of the other customers had a year's-worth of data transfers piled up. We couldn't believe it.