Quite big company booking confirmations being made public

Basq

Bit of a strange one this!

I was googling something at the weekend, and noticed a quite big Irish company issuing booking confirmations (contains name, e-mail address and other specific information to the customer) which seems to be getting indexed in Google search results.

Sent them an e-mail informing them of such, but heard absolutely nothing back from them. Not a "thanks for bringing it to our attention" e-mail or even a "we're looking into it".

I know if it was my details I'd be very annoyed... so should I follow up with them again.

Any suggestions welcome!

Cheshire Cat

Definitely!

If you get no reaction get on to the data protection agency or email some of the people affected to let them know.

Basq

Have followed up with another e-mail.. will see what happens.

They've a "Live Chat" function on their website but tried using that the other day and no-one seemed to answer their either.

goz83

They would answer quite quickly if you let the people who are affected know about it. Subject = company name

MissFlitworth

I'd second the data protection commissioner, they're very proactive about things like that. You might find the company doesn't want to deal with you (because it's not your data & they are probably having heart attacks trying to fix it and/or fingers in ears going "nononononono not happening")

http://www.dataprotection.ie/docs/Contact-us/11.htm

Cabaal

Def go to data protection commissioner, might be no harm making a few of the people's who's details have been made public aware of it as well and explain what you have tried already

readytosnap

or tell us lot the name of the company so we can avoid until the issue is resolved.

Skid X

At this stage, I would be inclined to go to the Data Protection Commissioner regardless of getting a response from the company involved. This seems like a very serious issue and you shouldn't have to make three attempts to get their attention.

http://www.dataprotection.ie/ViewDoc.asp?fn=/documents/complaint/default.asp&CatID=51&m=p

Basq

Thanks for the replies everyone..

.. I've just sent an e-mail to the Data Protection Commissioner so we'll see what happens now.

uck51js9zml2yt

Its a Data Protection Issue. They are the controllers of clients data and made it public.

They will be asked by the DPO why they weren't informed of the breach by the company.

Its immaterial whether they replied to your email or not.

RangeR

Company may not be obliged to report the incident to DPC.

DPC Rules

DPC Data Loss Code of Practice outlines what should, could and may be done if a data breach is identified. There are no MUST's in there.

This will change in 2015.

<follow>

Any update from DPC?

Basq

RangeR wrote: »

Any update from DPC?

Just a generic reply the day after submitting it saying the following:

To Whom It May Concern

I acknowledge receipt of your e-mail to the Data Protection Commissioner. Where your email relates to a query (as distinct from a formal complaint under the Data Protection Acts), you should be aware that in line with our Customer Service Charter we aim to reply within 15 working days and usually much sooner.

In doing so, we will communicate clearly, providing you with a full response to your query.

If we are not in a position to issue a reply within that period, we will inform you of its status.

Regards

Office of the Data Protection Commissioner
Canal House
Station Road
Portarlington
Co. Laois

RangeR

Cool. At least it's in the system. They will get to you. From experience, it could actually take up to the 15 business days. They be busy little bunnies at the moment but they get the job done

Stay the course.

Basq

Hmmm.. still nothing since the acknowledgement on May 10th.

And the booking confirmation is still online also.

pleasant Co.

The system works! :rolleyes:

Christ, that's absolutely appalling, you would hope that this is the kind of thing that gets fixed ASAP, I definitely want to avoid using whoever this company is!

Once it's all sorted and no-ones info is publicly available the company should be named (just grab screenshots of their ineptitude to back-up your claims, to protect boards.ie) but until then it's commendable that you haven't named them.

Basq

Oh my... I've just found another 5 bookings online.

Dates range from 28th March to 12th May.

This is really infuriating..

ifah

You can be pretty sure that if their bookings details are online that their Web Servers are not secured properly. Google (or any other web Crawler) will index anything it can access and Google provided the best source of attack points to hackers - just lookup Google Dorks for more info.

I would follow this up with IRISS-CERT - they provide a reporting service for this type of thing - http://www.iriss.ie/iriss/contactus.htm

Generally if I come across businesses like this I send an initial email, follow up with a phone call and then take the IRISS-CERT route if there is no financial or PI data leaked - otherwise I try get in touch with someone at CEO or Director level.

If you want some help with this just pm me and I can give you further details.

Basq

A month on.. still no update from the DPC!

Sent them a follow up e-mail just there.

Basq

And still have heard nothing from the DPC... can't help but be a bit disappointed by all this!

cookie1977

Basq wrote: »

And still have heard nothing from the DPC... can't help but be a bit disappointed by all this!

Did the breach affect you? If not then the DPC wont be in touch again I'm afraid. I've reported breaches before and unless they affect your data they dont really respond to complaints. You wont hear of the outcome until/if they post it in their annual report or as an example on their website. It's a data protection issue.

Edit
I should add in case it's unclear. They'll investigate complaints brought by anyone but will only deal with those who are directly affected

NinjaTruncs

Possibly time to name and shame. If the company isnt going to fix the problem the public have the right to know to protect their privacy

newmug

Maybe you should report the DPC, to the DPC!

MadsL

newmug wrote: »

Maybe you should report the DPC, to the DPC!

They are busy as hell, I'm still asking for updates from an issue I reported in Sept 2012.

joe316

Have you called them for an update rather than email?

Rafloution

Basq, may I ask is it a taxi company with these bookings?

Basq

cookie1977 wrote: »

I should add in case it's unclear. They'll investigate complaints brought by anyone but will only deal with those who are directly affected

Wasn't aware of this cookie1977.

Little more than an automated acknowledgement from them would have been appreciated.

NinjaTruncs wrote: »

Possibly time to name and shame. If the company isnt going to fix the problem the public have the right to know to protect their privacy

I'd rather e-mail those affected personally than name the company here..

.. I can only assume the DPC are dealing with it, as those confirmations are slowly disappearing from Google (one left as far as I can see).

joe316 wrote: »

Have you called them for an update rather than email?

Nope, working hours are not ideal for making calls.. plus as cookie mentioned, the complaint didn't affect me personally, so I'm not sure how much they'd tell me on the phone.

Rafloution wrote: »

Basq, may I ask is it a taxi company with these bookings?

No, it's not.

cookie1977

I agree. You're not asking for details of who was affected but it would be nice to know the outcome of a complaint you had. I think the lack of information discourages people from complaining again.