How Do You Handle the Discovery of a Web Site Disclosing Private Data?

An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?

Re:Notify CTO, CFO & CEO offices

[AK+Marc]

I worked for a 10,000+ person company, the CEO read the emails identified by his secretary as important. I worked for a 200+ person tech company where the CTO read some of the emails the secretary printed out for him. He didn't have a computer (not in the office, and not at home). If he sent an email, he dictated it to his secretary, and she would then send it for him.

For a 5-man company, you may find CEOs read their own emails. For larger than that, the CEOs don't read emails. The few I know that did, used their personal email for business, and the business email was essentially forwarded to the info@ email box.

I've found that snail mail got insanely quick response. It would get to the CEO and be read. Only obvious advertisements would be withheld by helpers, and even then not aggressively so.

Get off my lawn

[fulldecent]

I was in a similar situation a few years ago. It involved write access to other people's brokerage accounts.

FINRA, SEC, and FBI are all good points of contact and they have a straightforward complaint/action process. Assuming that you mailed a letter to the CEO first. Otherwise, I just now post live exploits to my blog at http://privacylog.blogspot.com... and usually give the vendor a heads up.

You will not get credit for the find. The TLAs will not invite you to give a speech. You will not get a career out of this, or even consulting money. Your end game is getting the thing fixed and moving on. Do this by posting your story which proves how innocent you are and giving the people an honest chance to fix it. Imagine you are in front of a jury of idiots. If you are saying "I wrote down this URL, then I typed it back in and some else's bank records came up... then I found out I made a typo". This is a perfectly reasonable story, there is nothing to be afraid of.

Re:If you're in the United States, get a lawyer

Personally if it were me, I agree with the statement get a lawyer, but for different reasons. I'd immediately sue them. In a court of law you've now put them on the defensive. If they try to take legal action against you, you have that you discovered a flaw in their system, and immediately held them responsible. If they try to claim you were doing anything malicious, then they have to admit wrong doing and plead guilty to your lawsuit. And in your defense case, then it looks like you happened to find the flaw, was furious and took legal recourse against them.

It may not make technical logic, but as far as I can tell in the legal world, putting them on the defensive as soon as possible is the best move you can do.

Re:Krebs

[Jane+Q.+Public]

Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.

Don't be so sure.

I had a similar problem with a bank back in 2000-2001. I called their customer service dept. and they put me in contact with the IT dept. I explained that their web banking portal was spewing private information all over the place. (I was quite alarmed, since I had noticed this when doing my own online banking.) They said they'd see to it right away.

A couple of weeks go by, it's still the same. Now, mind you, this was a MAJOR leak to anybody who knew about it. Arguably worse than OP's problem. So I called them again. I was assured that they were right on top of it.

After about another month went by, I went into the main branch of the bank, and SHOWED this to one of the managers. He seemed quite concerned. Another couple of months go by... nothing.

I finally called them up and said if they didn't fix the problem, I was going to the newspapers with it. It didn't faze them. I actually did take it to the local paper, and they weren't interested in the story. (Turned out later, they were best buds with this particular bank.)

Anyway, long story short: they did nothing. It took them a full year and a half to fix the problem. If I had been an unethical person, I could have emptied out the accounts of MANY people over that time.

Re:Krebs

[camperdave]

Banks are regulated (at least, they are around here), so take it to the regulatory commission if the bank themselves don't do anything. Also, for most companies, unless it is in writing, it didn't happen. Don't call. Snail-mail.