Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Is this worth contacting the DPC for?

Options
  • 21-06-2017 11:09pm
    #1
    Virtanen
    Closed Accounts Posts: 1,288 ✭✭✭


    So I've just signed up for a sort of a loyalty card scheme for a place I occasionally go to. It involves entering the membership card number online, and signing up. Simple enough.

    The problem I've discovered, however, is that the loyalty card website is not secure, and that, in theory, you can sign in to anyone's account, so long as you know (or just guess) their account number.

    When you sign in, the account page features your account number in the URL. However, because the site isn't secure, you can sign in simply by accessing the URL directly, without the need to sign in, or even knowing the password. I've tested this by accessing my own account, directly from the URL, on a laptop which has none of my information saved on it.

    By doing this, you can access another person's name, address, phone number and email. The loyalty card system also allows you to add credit to your account via credit card. I have no idea whether there's a way to save your payment details for future use, and if there is, I have no idea if there's a way to see those details via the method above.

    I contacted the company in question about this, and they said that they would work on it. That, however was two working days ago.

    Do you think it's worth forwarding this to the Data Protection Commission, and if it is, how long do you think is a reasonable time to allow the company to resolve it in-house, without contacting the DPC?


Comments

  • Options
    #2
    368100
    Closed Accounts Posts: 2,067 ✭✭✭368100


    Yes.....if they couldn't fix it there and then they should have taken the website offline.

    Scammers jackpot


  • Options
    #3
    ED E
    Registered Users Posts: 36,165 ✭✭✭✭ED E


    Get a nerdy friend to write a script to query a range of say 100k membership numbers. Then email their customer base to the DPC as an example of how feckin thick they are.


  • Options
    #4
    seagull
    Registered Users Posts: 2,340 ✭✭✭seagull


    This sort of leakage used to be fairly common about 10 years ago. What kind of idiot do they have setting up their website that has this exposure in it? Anyone with a degree of cop on should be doing a better design than that.


  • Options
    #5
    MOH
    Registered Users Posts: 6,464 ✭✭✭MOH


    ED E wrote: »
    Get a nerdy friend to write a script to query a range of say 100k membership numbers. Then email their customer base to the DPC as an example of how feckin thick they are.

    That's probably meant somewhat sarcastically, but don't do that. But do refer it to the DPC


  • Options
    #6
    L1011
    Moderators, Business & Finance Moderators, Motoring & Transport Moderators, Society & Culture Moderators Posts: 67,747 Mod ✭✭✭✭L1011


    They should report this themselves. They probably won't. Report it asap


  • Advertisement
Advertisement