How Do You Handle the Discovery of a Web Site Disclosing Private Data?

An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?

Krebs

[kylemonger]

Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.

Re:Krebs

[MrBigInThePants]

Absolutely. Tell lots of high profile people who loose lips. Hey, tell your favorite prostitute while you are at it!

Blab about it on the internet on a very popular website also. That will increase your chances of being personally identified before you notify the appropriate people and ensure that the preemptive action they will take against you will not work. Alternatively they can also use that against you after the fact instead/as well.

I would also suggest as "icing on the cake" to paint red circles of decreasing size around you anus to make targeting easier.

Alternatively you could ignore the truly SHITTY advice here on slashdot and be discrete and anonymous.

Re: Krebs

[bill_mcgonigle]

I like Krebs, so DO NOT put him in a position where he has to think about protecting your identity. For the love of all that is holy, boot Tails on a junker laptop at a cafe you never go to and use a throw-away mail account or pastebin it and leave a comment.

Or just walk away. You have no duty to put your life on the line here - everybody who supports the system that will throw you to the lions for being a good guy will suffer for it in kind. You're not obligated to be their saviour. Sucks, but play the shitty hand you're dealt - don't bet all your money wishing you didn't just have a pair of threes.

Re:Krebs

[Jane+Q.+Public]

Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.

Don't be so sure.

I had a similar problem with a bank back in 2000-2001. I called their customer service dept. and they put me in contact with the IT dept. I explained that their web banking portal was spewing private information all over the place. (I was quite alarmed, since I had noticed this when doing my own online banking.) They said they'd see to it right away.

A couple of weeks go by, it's still the same. Now, mind you, this was a MAJOR leak to anybody who knew about it. Arguably worse than OP's problem. So I called them again. I was assured that they were right on top of it.

After about another month went by, I went into the main branch of the bank, and SHOWED this to one of the managers. He seemed quite concerned. Another couple of months go by... nothing.

I finally called them up and said if they didn't fix the problem, I was going to the newspapers with it. It didn't faze them. I actually did take it to the local paper, and they weren't interested in the story. (Turned out later, they were best buds with this particular bank.)

Anyway, long story short: they did nothing. It took them a full year and a half to fix the problem. If I had been an unethical person, I could have emptied out the accounts of MANY people over that time.

Re:Krebs

[camperdave]

Banks are regulated (at least, they are around here), so take it to the regulatory commission if the bank themselves don't do anything. Also, for most companies, unless it is in writing, it didn't happen. Don't call. Snail-mail.

Re:Krebs

[pepty]

Call the bank and ask for their "agent of service", This is the first step you take when you sue a corporation: find out the lawyer you need to send the paperwork to. Not that you will actually be suing them, but if anyone can light a fire under the bank's IT staff it's their lawyer.

Re:Krebs

[plover]

Nobody took computer security seriously back in 2001. Things have changed a lot since then. For example, if you were to contact that same bank with the same information today, they would likely know better and would now contact the FBI and have you arrested on charges of violating the Computer Fraud and Abuse Act.

Actually, contacting the FBI might not be a bad choice for the story submitter. They would probably be very interested in working with that bank to shut this problem down quickly.

Re:Krebs

I finally called them up and said if they didn't fix the problem, I was going to the newspapers with it. It didn't faze them. I actually did take it to the local paper, and they weren't interested in the story.

Notorious troll Weev" did the above (although he went to the media FIRST apparently) and included the exposed data, and as a result was sentenced to 41 months in federal prison and $73,000 in restitution. The EFF and many others condemned the prosecution.

Re:Krebs

[ArcadeMan]

I agree. A friendly game of baseball is the perfect opportunity to discuss security issues with them.

Re: Krebs

[devilspgd]

Or just walk away.

While true, this solution doesn't allow one to protect their own data which is also exposed.

Re:Krebs

[camperdave]

Having sex with a spy is on my bucket list.

"Never mind why. Just clip this lapel mic to your blouse."

Re:Krebs

[drolli]

As a user you are not supposed to make sensible input to the support hotline. Also the head of the local branch is a user.

IT departments in banks are behemoths, never changing course. They can't react quickly. A mess of different never integrated systems which were kept over decades, "tailored" solutions by consultants with too little a time budget in the projects, and department heads for whom the internet is a new technology create an impenetratable mess where even the support doen not know whom to turn to.

Re:Krebs

Do NOT give them anything in writing that is an admission of "hacking".

Re:Krebs

[AchilleTalon]

Having written the on-line banking communication protocol of a bank back in 1995 I can assure you they were not taking security seriously. I explicitly asked about requirements for encryption and they had none. They didn't want to bother with encryption because the infrastructure was running on dialup lines connected directly to their infrastructure and they wanted to be the first bank to make on-line banking available to its customers. At this time, the internet was in its infancy, hence the choice for the dialup infrastructure, and everyone was subscribing dialup lines for the Internet access DSL and cable-modem was still waiting to be invented. It was even Windows 3 and OS/2.

Re:Krebs

[PetiePooo]

...but buggars can't be choosers I guess...

Fixed that for ya...

Re: Krebs

[BVis]

I guarantee you that their lawyers can beat up his lawyers. If he sues, he'll get buried in paper, causing legal fees to quickly attain unmanageable levels, then they'll counter-sue for defaming their name. He'll be lucky to walk away with the shirt on his back.

America!

Re:Krebs

[cusco]

In the last '90s I worked as System Operator for a company which sent several thousand automated account renewals to credit card companies each month. We had been sending 9-track tapes via Fed Ex, and I was tasked with converting all these to digital transfers. We ended up with a mish-mash of different methods, dialup modem, encrypted email attachments, etc. but American Express had a rather unique approach.

They had us FTP an unencrypted, unzipped text file to a folder with our account number on their ftp site. Logged in as anonymous. With full access to all the other folders showing all their other customers' data transfers. They didn't clean up the folders either, so some of the other customers had a year's-worth of data transfers piled up. We couldn't believe it.

Re:Krebs

[vakuona]

I think you will find that banks have real liability when they fail to protect customer data. At least here in Europe they would.

Re:Krebs

[Jane+Q.+Public]

He reported it AFTER exploring it en mass, and while his motives *may* have been pure... the degree he went to can and were used to harm him.

Contrary to what was reported from many sources, he DID go to them first, before publishing the exploit. The fault for not fixing it immediately rests on them, not him.

What he did was normal curiosity. Hell, I've done it. In fact I don't know of any web or security professionals who haven't. Got an ID in the URL? Increment it by one, see what happens. We all do it.

Granted, we don't normally explore it to the degree he did. But what he did was ridiculously simple, and hardly even deserves the term "hacking" at all. What THEY did was akin to leaving the back gate open and putting out a sign that says "Come on in!", then complaining about it when someone did.

Anyway, I'll repeat what I said about my own experience: I didn't need to go "fishing" for information in that case. It was being sent TO ME, just in a non-obvious way. I stumbled across it, I didn't go looking for it or trying to exploit it. I sure could have, though.

Notify CTO, CFO & CEO offices

[BoRegardless]

Those people will definitely take your info and get it acted upon.

Re:Notify CTO, CFO & CEO offices

[AK+Marc]

I worked for a 10,000+ person company, the CEO read the emails identified by his secretary as important. I worked for a 200+ person tech company where the CTO read some of the emails the secretary printed out for him. He didn't have a computer (not in the office, and not at home). If he sent an email, he dictated it to his secretary, and she would then send it for him.

For a 5-man company, you may find CEOs read their own emails. For larger than that, the CEOs don't read emails. The few I know that did, used their personal email for business, and the business email was essentially forwarded to the info@ email box.

I've found that snail mail got insanely quick response. It would get to the CEO and be read. Only obvious advertisements would be withheld by helpers, and even then not aggressively so.

Re:Notify CTO, CFO & CEO offices

[pepty]

In my experience, it won't.

I reported to a small non-profit that their list of email addresses had leaked. I knew this because I used a unique address when registering with the site and I later started getting SPAM at that address.

Most likely, the non-profit sold your email address (along with the rest of their list), leading to embarrassment all around when you contacted them about the spam.

Re:Notify CTO, CFO & CEO offices

[Alan+Shutko]

In my Fortune 25 company, we have a department of people devoted to resolving issues of people who contact the CEO, President, or other members of senior staff. This method absolutely will light a fire under the IT staff to fix it. I don't know whether he reads every incoming letter or email, but I do know that each one is handled by the presidential escalation team, and tracked, and reported out regularly.

We also have a Chief Information Security Officer who will personally latch onto this like a bulldog and ensure that it's fixed. We had a breach a number of years ago and it's still used as a reminder that "That will NOT happen again."

Re:Notify CTO, CFO & CEO offices

[Harlequin80]

I call the CEOs, State Managers, Divisional Directors etc etc of companies that range in size from 20 person to 75,000 person on a daily basis for my job. You absolutely need the name in order to get anywhere but that information is very very simple to get. To get through to those people all you need to do is sound like you expect to be put through.

Worst case scenario is you are referred down the chain of command. There is no way that the CEO of a 10,000+ person is going to be the right person to speak to, however a conversation with their Head of IT that starts with John Doe said I should speak with you to sort this gets balls moving very quickly.

Re:Notify CTO, CFO & CEO offices

[0xG]

This should not have been modded "Funny"; it's actually a very good strategy. I got taken off a corporate spam list (HP) by contacting "Office of the President". Nothing else I tried would work. Got a similar result with my ban when I couldn't get the payout amount for my mortgage. It was a reasonable request, but I was stonewalled - so I contacted the Pres. Got called back the same day with all the info I needed.

Post the URL here...

... That way we can help, too.

Also, and this is a bit off topic, but what high school did you go to and what's your mother's maiden name?

Re:Post the URL here...

[mallyn]

My mother's maiden name is Judy Garland and my high school is The Emerald City High School.

Buy some suntain lotion

[Vinegar+Joe]

You've hacked a bank and now you're a terrorist. Expect a visit from the FBI and a taxpayer funded trip to Cuba.

Re:Buy some suntain lotion

[pollarda]

Actually, this isn't too far from the truth. I've heard of a few cases where simply changing the URL has brought up documents that should be private and the person who reported it was brought up on charges for "hacking". Unfortunately, the public does not understand the difference between simply poking around and trying to mess up someone's system for nefarious reasons. Perhaps someone here on /. will remember the particular cases involved but as sad as it sounds, you are on a shaky legal foundation.

Re:Buy some suntain lotion

[borcharc]

This shouldn't be modded funny, its the most likely outcome. You really should start thinking of protecting yourself now that you have made yourself a target.

Re:Buy some suntain lotion

[pbhj]

>reporting vulnerabilities doesn't get you put in Jail, however manipulating sites without permission to look for them does. //

Except that in this case the report is evidence of having "manipulated" the site "without permission" *.

* web accessible documents have an assumed permission IMO; the removal of permission is performed by making the page only accessible with a password or similar auth.

Re:Buy some suntain lotion

[Lesrahpem]

Actually, this isn't too far from the truth. I've heard of a few cases where simply changing the URL has brought up documents that should be private and the person who reported it was brought up on charges for "hacking". Unfortunately, the public does not understand the difference between simply poking around and trying to mess up someone's system for nefarious reasons. Perhaps someone here on /. will remember the particular cases involved but as sad as it sounds, you are on a shaky legal foundation.

I thought of one particular case as soon as I read the summary: https://www.eff.org/cases/us-v....
Aernheimer was charged under the CFAA for exposing a similar problem with AT&T's website.

If you're in the United States, get a lawyer

You called the bank and admitted manipulating the site in order to view other people's private financial information.

Regardless of your intentions, you may be treated as the wrongdoer here. A security vulnerability exists, and unfortunately, you are the only one who has admitted to exploiting it. (It's entirely possible that the only person who has actually accessed someone else's private financial information is you.) Organizations in the United States have a long history of seeking sanctions (criminal or otherwise) against people like you who look for vulnerabilities in their systems (I think some similar cases were reported on Slashdot, and I know of one privately).

Maybe withdraw all of your money out of your account in case they freeze it during their investigation (which means you wouldn't even have money to pay your lawyer), but beware that this could appear to be an indication of admission of guilt -- consult a lawyer first if there's time.

Re:If you're in the United States, get a lawyer

[nerdonamotorcycle]

I agree. We all like to think we're being responsible citizens and good Samaritans by alerting people to dangerous situations. In an ideal world, that would be true. With the trend of treating whistleblowers in the U.S. as criminals, criminal prosecution is a very real possibility. Think about what happened to Randal Schwartz. I would absolutely not move forward with something like this without benefit of legal counsel.

Re:If you're in the United States, get a lawyer

About 20 years ago I had something similar happen, I emailed people about a bug (not even as important as people's financial data, but still similar). It was a large company (30B market cap). Anyways, I received no response and didn't really think much of it, Several months later, the local FBI team came in and took all my computers, we had a short meeting with them about a year later, where they explained that I had hacked and then threatened that company, And then never heard from them again. This was back when I was using POP3 so I don't even have the email to know what I said, it may have have sounded like a threat, I honestly don't remember. My guess is shortly after my email something happened, and they found the email, which was through my ISP at the time, and contacted them assuming I had done it. As near as I can tell, they had logs that I visited the site, but nothing more as evidence.

Anyways, my advise from this experience is to unfortunately keep it to yourself, be very careful when trying to be the good guy here. Since you've already started, you might be wise to contact a lawyer...

Re:If you're in the United States, get a lawyer

Personally if it were me, I agree with the statement get a lawyer, but for different reasons. I'd immediately sue them. In a court of law you've now put them on the defensive. If they try to take legal action against you, you have that you discovered a flaw in their system, and immediately held them responsible. If they try to claim you were doing anything malicious, then they have to admit wrong doing and plead guilty to your lawsuit. And in your defense case, then it looks like you happened to find the flaw, was furious and took legal recourse against them.

It may not make technical logic, but as far as I can tell in the legal world, putting them on the defensive as soon as possible is the best move you can do.

Re:If you're in the United States, get a lawyer

[bigtrike]

The one time I ran into this, I informed the company from an anonymous email account. I claimed that I'd accidentally typed a number into the URL bar and someone else's complete order information came up. I stated that I had not shared the information with anyone and did not plan to (to cover my ass and make it clear I was not threatening them). I was still worried that they'd send the FBI after me, but I also felt that I had a moral obligation to inform them of the issue before someone else discovered it and stole a bunch of customer information.

Re:If you're in the United States, get a lawyer

[BitZtream]

Regardless of your intentions, you may be treated as the wrongdoer here

Not likely. Just because you've heard of some idiots who try to pretend they 'just accessed some urls' while stealing and republishing other peoples data doesn't mean that the FBI (who would handle such things) is a bunch of raving nutters.

You're just being silly and making things up. Banks are regulated, they don't get to randomly freeze your account because they feel like it. Stop believing random crap you read on the Internet. The things you've seen reported on slashdot and other places are ALWAYS BS. Not entirely, but the story you hear is HALF the story. Its kind of like car accidents ... you can watch someone rear end another car on the street, and then they'll give you a story about how it wasn't their fault and it was the other guys and the give you all the right details to make it sound like they weren't at fault.

Second, freezing your account to prevent you from paying a lawyer will just result in the lawyer filing a motion to get enough money to pay legal fees, and unless you're a complete and total jackass like Kim dotcom asking for millions, you'll get the money to pay your lawyer.

The responsibility of disclosure

[clockwise_music]

Troy Hunt has a great article here on the responsibility of public disclosure:

http://www.troyhunt.com/2013/0...

Re:It takes a scandal to fix this kind of thing IM

Too late...our anonymous submitted has already outed himself to the bank, and even if he hadn't, there should be enough of a trail in the server log to find it was him.

Slashdot it

[belmolis]

Post the URL in a Slashdot article. There's a good chance a technical person in the company will read it. And since the site will be Slashdotted, you're probably not exposing any data. :)

Time to sever the financial relationship

[Tillman]

Either the place is incompetent or made a deliberate design decision. Either way, your best move is to simply move on. There's plenty of competition out there.

Do not reveal the information to anyone else, and don't go poking around.

Contact the company's CSIO

[ZipK]

Try mailing security@companydomain.com. Follow-up on Monday by calling the company's headquarters and asking for the CSIO (chief security information officer). If neither of those work, ask to speak to the CIO's or COO's office.

Re:Seems this has been done before...

[mixed_signal]

The folks that discovered the AT&T flaw downloaded information on something like 40,000 people and forwarded it to a journalist. Calling the institution itself after a spot check is pretty tame and seems well intentioned on its face compared to the AT&T situation.

Please be very careful!

[mallyn]

Folks:

Please be very careful if you discover something like this. Too many of us have been treated incorrectly by the company or the prosecuters.

Here is what I would probably do:

1. Remove all of my own assets from the company/institution.

2. Verbally (phone or preferably in person) tell my family what I have done and suggest they do the same. As I can trust my family, I can say to them that I have been made aware of a possible security situation with the company.

3. Verbally (in person if possible, phone as a last resore, not email) tell any friends THAT I TRUST about what I am doing and why and suggest to them they consider removing their assets. Do not go into any details of how I found out.

4. Once out, stay out. Listen. Don't say anything to anyone else. If I feel that I must do something, I would stop; find an attorney whom I can trust (friend of a friend or family; not just out of the yellow pages). Pay them for an hour or so (which puts into place attorney client privilege) and tell them what is up. Fot God's sake, think twice, no three times before going this far.

5. Shut up and go about your business.

You done fucked up

[ArchieBunker]

Every time someone has tried to be the nice guy its backfired. You see something like this? Keep your mouth shut and forget it even happened.

Get off my lawn

[fulldecent]

I was in a similar situation a few years ago. It involved write access to other people's brokerage accounts.

FINRA, SEC, and FBI are all good points of contact and they have a straightforward complaint/action process. Assuming that you mailed a letter to the CEO first. Otherwise, I just now post live exploits to my blog at http://privacylog.blogspot.com... and usually give the vendor a heads up.

You will not get credit for the find. The TLAs will not invite you to give a speech. You will not get a career out of this, or even consulting money. Your end game is getting the thing fixed and moving on. Do this by posting your story which proves how innocent you are and giving the people an honest chance to fix it. Imagine you are in front of a jury of idiots. If you are saying "I wrote down this URL, then I typed it back in and some else's bank records came up... then I found out I made a typo". This is a perfectly reasonable story, there is nothing to be afraid of.

It is not a bank or brokerage account.

[140Mandak262Jamuna]

It is one of those mail-in-rebate houses. I am surprised there are people who still use them. The whole idea is a scam. To help them advertise a low low price, but small print reveals mail-in rebate to get the advertised price. I stopped using them long ago. They rely on consumers not bothering to send in the rebate coupons. Looks like now they allow the mail-in rebate to be claimed over the net, and the proof of purchase could be credit card statements.

It is a security hole and all the dire warnings by others are true. Most of these companies are run by people with no IT or computer expertise. The top man is going to haul the IT dept on the carpet and demand an explanation. You think the IT chief is going to admit that he/she was running a moronic system? No, she/he is going to shift blame and find some convenient scape goat. Given the top honchos don't know much about anything other than their bonus calculation, IT chief is going to claim, "It is a hack! That guys hacked into my super secure site". Then the PHBs running the company would call in the lawyers and make a mess out of the situation.

One thing the anonymous guy can do is to call the company that issued the mail-in-rebate and tell them, the outfit they had out sourced their rebate processing has holes in the system. Now it is the very big company that issued the rebate coupons run by PHBs fighting a smaller company that got the rebate processing contract run by PHBs. And quietly withdraw without drawing too much attention.

You.will.be.blamed

[MrKaos]

Accept this, as you have uncovered something they didn't know and can potentially damage them.

I did this with a government tax office and tried to alert them by calling the very number they advertised to handle this sort of issue. The response went like this:

• Yeah there is a number you can call for this
• There is a what in our what?
• please provide you contact details

The problem is, you want to help them and all they can see is 'random person the phone saying we have a problem' so it is easier to solve you. If the company is responsible enough to have a CERT team and a reporting mechanism you may stand a chance but it is more likely you will draw their ire because you can hurt the companies reputation.

If you can't change institutions then you should consider establishing what their data privacy policies are, hire a lawyer and then frame legal action to protect your own data whilst seeking damages to the value of your life earnings for exposing you to identity theft and fraud. You should be pissed off.

They won' t play nice so neither should you. Seek legal advice about the possibility for damages because you have been exposed to fraud. Leave it to them to discover the mechanism, because if they are that bad there are probably more.

Rookie mistake...

[Fallen+Kell]

Well as others have already stated, you already made the rookie mistake of trying to report the issue and gave them your name and contact information. Now you are on the record as having breached their "security", even as pathetic as it is. When big money is possibly involved (as it would be in the case that financial information of hundreds/thousands of people are involved), you just became the "scapegoat". They will now use you as "hacking" them to attempt to make claims on their insurance to cover the cost of fixing the problem. That also means they will need to report to law enforcement, etc., to have the case brought forward.

Ass covering, BT Example from UK

In the UK, British Telecom had a website that took donations for something. They left the website open, simply putting in a URL was enough to get to the private information of the donators.

The man who discovered it was prosecuted for hacking their website:

http://www.scl.org/site.aspx?i=ed832

"He had visited the site and donated £30, but had become concerned at its slow response and what he had regarded as poor graphics. There had been extensive press coverage of “phishing” attempts and a number of these had involved fake sites masquerading as well-known UK financial institutions. His concern was that he had just provided details of his name, address and credit card and that these might be abused. Cuthbert sought to test the site by using a directory traversal test - in effect he re-formed the URL he could see in the command bar of his Internet browser to see whether the security settings on the remote Web site would allow him access beyond the web root. His attempt was rejected, he felt relieved and thought no more of the matter. "

"But the test set off an alarm in an intrusion detection system (IDS) installed by British Telecom, the directory traversal being an obvious alerting signature. It wasn't difficult to trace him - he had just supplied his name, address and credit card details, and his IP address, which resolved to his employer, was captured both by the regular web-logs of the donation Web site and by the IDS. Cuthbert's subsequent interview with the Metropolitan Police Computer Crime Unit went badly. "

Re:Rookie mistake... Also...

[Fallen+Kell]

DO NOT DISCLOSE THE INFORMATION TO ANYONE ELSE!!!! I can't state that enough. Also, DO NOT ACCESS IT EVER AGAIN!!!!!! I also can't state that enough either. Any subsequent accesses/"breach" of their security will be blamed on you, and used as evidence that you sent others the information, since you were the only one who knew. Anything anyone else does will be painted as you working in conjunction with a "group of hackers" in an attempt to defraud others, or even possibly extort the company in some way. Any continued access attempts on your part will be used to show that it wasn't a onetime mistake that let you uncover the issue, and that you continued to "hack" the site over a period of time.

Dan Cuthbert, UK

Your thinking of Dan Cuthbert I think. A UK case, he donated money to a charity page then entered a directory traversal. Most likely /.. into the URL.

http://www.scl.org/site.aspx?i=ed832

(Slashdot is one dot away from a crime!)

It was a real face palm moment for the British Justice system that they prosecuted him. In effect they said "a directory traversal would not have been authorized, therefore this is unauthorized use of a computer, hence a crime".

A law designed pre-internet, yet the RFC for the web permits those URLs and their server provides the RFC interface therefore its for them to handle what data they return on what URLs. In this case they returned a 404 error page or similar. WHICH IS EXACTLY WHAT THEY SHOULD HAVE DONE, as per the spec.

What point did it become a crime? When Judges the are also pre-internet get involved.

Intent

[TapeCutter]

Agree. The AT&T mob were not hammered in court for finding a flaw, they were hammered because they attempted to use the flaw to extort money.

Deal with someone else

[FrozenGeek]

Give them, maybe, one day to respond to your complaint. If they do not respond to your satisfaction, close your account and go elsewhere. It's your money. If they won't take good care of it, someone else will.

Confidence

That's a confidential web forum that handles cases like this. Just provide the sensitive details and they'll take care of it from there. It's @ 4chan.org.

Take Immediate and Thorough Action

[DERoss]

Send a postal letter to the CEO of the financial institution. Explain the problem. Give the institution a deadline for action. Since I found no actual disclosure of information in my case, I gave the institution a month. In your case, a week should be the maximum.

If you do not hear back in a week, send a postal letter to the government agency that supervises the institution (e.g., SEC, Controller of the Currency, FDIC). Send a copy to the federal Consumer Financial Protection Bureau. Postal addresses are available online for such agencies.

It helps if the institution's privacy policy indicates such disclosures are not permitted. In that case, insist that the government agency enforce the institution's privacy policy.

Better Krebs than Weev

[billstewart]

You don't want to end up like Weev, even though they did eventually let him out of jail. And you're apparently not somebody who's got the kind of personality he has, which, while it may make you less likely to end up in jail, isn't necessarily going to get you off the hook either.

Better avenues that public disclosure

[matthewv789]

There are a few avenues I don't hear people talk much about using, which I think would be far more effective and appropriate, without the ethical issues of public disclosure (which I think is rarely ever justified). I'd strongly urge anyone to exhaust all these avenues before even considering the typical public disclosure of a flaw's vulnerabilities. I have a hard time thinking of ANY circumstance in which it would be ethical to publicize an unfixed flaw before there is clear evidence someone else is already exploiting it.

1. 1. Try to notify technical contacts, who can most efficiently and cheaply understand and fix the problem, with the least embarrassment or hassle.
2. 2. Notify the legal department, outside counsel, accountants or auditors. They are responsible for dealing with risks to the company, and to certifying proper controls over financial or customer information.
3. 3. Try to notify executive management directly.
4. 4. Contact government and other regulatory or certifying bodies, such as PCI (for anyone handling credit cards), SEC (for public companies), FTC, Better Business Bureau, Chamber of Commerce, etc.
5. 5. Report it to CERT.
6. 6. If you're a customer, (politely) threaten to take your business elsewhere (or actually do it), or have your attorney send them a letter threatening to sue for putting your information or money at risk. You could threaten to make it a class action too. (Note that you'd need to be an affected customer to have standing to sue.)
7. 7. Any public disclosure you may be tempted to make, go through a news organization, who will verify the information, contact the company for comment, and weigh the ethical pros and cons of how to tell the story effectively without revealing so much information as to do harm. Some "on your side" segments on local TV news might work well for this.
8. 8. If you want to publish or comment publicly yourself, consult your attorney, and limit yourself to saying that there is a vulnerability, but not any details about it. But you can particularly publicize the company's (non-)response to it.
9. 9. If you can document that someone else is already exploiting the flaw, you could report on the exploitation that's occurring, without being the one to expose the vulnerability.
10. 10. And of course once the flaw is fixed, you could discuss it more widely as well.

(IANAL)

Demand that your data gets taken down?

[wonkey_monkey]

I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me.

Presumably, then, your data is viewable to others. First thing I'd do is demand that my data gets removed until the problem is fixed. Then I'd tell everyone who needs to know that I won't be uploading any more documents to this other website until someone else tells me I must, thereby taking responsibility for me doing so.

Mind you, I'm in the fortunate position of having directors who take me seriously when I tell them things like that.

Yes, get a lawyer

[davidwr]

As other replies have said, you are probably better off getting a lawyer BEFORE you go to the bank or anyone else.

Why?

1) If they've already discovered this themselves they may be working with the FBI and there may be a subpoena in your ISP's hands within minutes of you making your discovery.

2) Even if there isn't, the veiled threat of prosecution can be very intimidating.

3) By having your attorney speak to the bank and/or the government/police authorities for you BEFORE the police contact you, it will be abundantly clear to the police that you are just a good citizen and that it would be a political mess if they threatened to press charges or ignore the problem.