Possibly not the best way to demo software...

DublinWriter

I know this isn't strictly development, but anyone in ICT will empathise.

Was at a client meeting today where a prospective software vendor was demonstrating their online CRM system for tracking social benefit payments for certain types of payments (don't want to say which).

There projected on the big screen were details of families, children and the amount of benefits that they were in receipt of.

I've been around long enough to recognise live data from test data.

"Is this live data?" I asked.

"Yes" came the nonplussed reply from the rep, who then proceeded to demo the inbuilt reporting functionality.

Unbelievable.

Earthhorse

Jaysus.

starbaby2003

So they showed you a live version of their CRM product using live data from another client or is the data belong to your group and was given to them for the purpose of a POC ?

DublinWriter

starbaby2003 wrote: »

So they showed you a live version of their CRM product using live data from another client or is the data belong to your group and was given to them for the purpose of a POC ?

Nope, data was totally unrelated to us.

starbaby2003

DublinWriter wrote: »

Nope, data was totally unrelated to us.

Wow, just wow. How could they be so stupid.

seamus

/facepalm

Honestly, that's the kind of thing I'd report to the company's GDPR officer and if you don't get a satisfactory response I'd report it to the DPC.

It could have been an honest mistake and when you said "live" data the sales monkey thought you meant "Is this an actual online working system and not just a demo running on your laptop", rather than "Is this real information?". In which case the sales guys need to be better briefed to avoid embarrassing themselves.

Tow

In this day and age they should know better. Years ago I was given a demo copy of a system, which 'probably' contained other customers live data... It is common enough for companies to have 'super secret' data, which you cannot see. But when they lock themselves out of it, are desperate and will offer to email you the full database...

But I am more interesting in this 'CRM system for tracking social benefit payments for certain types of payments'. Unless this was demoed to DEASP, I don't see what it can legally do. Under GDPR, employers etc. have no rights to know or request benefit information.

Calahonda52

Tow wrote: »

In this day and age they should know better. Years ago I was given a demo copy of a system, which 'probably' contained other customers live data... It is common enough for companies to have 'super secret' data, which you cannot see. But when they lock themselves out of it, are desperate and will offer to email you the full database...

But I am more interesting in this 'CRM system for tracking social benefit payments for certain types of payments'. Unless this was demoed to DEASP, I don't see what it can legally do. Under GDPR, employers etc. have no rights to know or request benefit information.

Could be a vulture fund that has bought the data from someone in DEASP
https://www.irishtimes.com/news/ireland/irish-news/civil-servant-jailed-for-a-year-for-selling-social-welfare-records-1.3369567

lawred2

presume you'll not be engaging their services

christ

caff

Report them https://www.dataprotection.ie/en/individuals/raising-concern-commission

14ned

DublinWriter wrote: »

I know this isn't strictly development, but anyone in ICT will empathise.

As you say, everybody on here will have seen the same occur. Many times.

Until they start handing out personal prison sentences to individuals who leak other people's data, it won't stop. GDPR affects companies, not the individual who did the bad. So individual workers don't really care.

Up to five years in prison for any involvement in the loss of other people's data I suspect is the only way you'll ever see improvement.

Niall

lawred2

14ned wrote: »

As you say, everybody on here will have seen the same occur. Many times.

Until they start handing out personal prison sentences to individuals who leak other people's data, it won't stop. GDPR affects companies, not the individual who did the bad. So individual workers don't really care.

Up to five years in prison for any involvement in the loss of other people's data I suspect is the only way you'll ever see improvement.

Niall

I would think that's a bit much

14ned

lawred2 wrote: »

I would think that's a bit much

I did say "up to".

You might have a stronger opinion if you've ever experienced identity theft though. You feel violated and powerless, and nobody specific can ever be blamed for causing it, because no one person ever did. The cause is lots of small leaks by many individuals not sufficiently motivated to care more about other people's data.

beauf

Kinda very identifiable, its a very specific market and data and date.

A rep might be just talking it up. But not actually know what the data is or isn't.

johnmcdnl

Well at least you know and understand that this company have bad practices and processes behind whatever sales pitch they provided.
Are you comfortable that your data may be shared in such a manner and what reprecusions that may bring in the future for your company?
Do you trust that this company have adequate defences to ensure they don't leak your customers data if this is how they are currently handling data.

Make sure to look out for yourself first, and ensure that others making decisions on this piece of software understand those reprecusions as well. Lots of stuff in writing especially if there's push back, to ensure that if and when this causes you hassle down the line, it'll be clear that you had your reservations.

To be clear, I don't necesarily expect that you'll have a data leak, due to someone demoing software, but if this is the data protection procedures they have in place today, it's an indication that they may have many other issues that will cause issues later.

DublinWriter

Just to clarify, I was working as an independent consultant with a public body. I was asked to sit-in on a presentation on behalf of my client. I'm not in a position to whistle-blow.

The system the rep was demoing was cloud-based, and it was obvious to me just from the URL that he was logging in the live system. I've over thirty years in IT and I'm trained in digital forensics and ICT law.

It was immediately obvious to me from the screens he was showing that this was live data concerning real, living people. At the end, when we demoed the 'whizz'-bang' reporting facilities, I asked him one four-word question "Is this live data?" to which he replied in the positive.

After the presentation, in a meeting with my client I said "If he's that cavalier with that body's data, how do you think he'll treat your data?".

Yes, it was a clear data-breach, but more concerning to me was the fact that the rep had admin login access to a live public-body system.

beauf

Originally you implied it was "live" as in "real" data. Now you are saying it's the live system. There is a subtle but distinct difference. Bit there really isn't any need for details either scenario raises a multitude of very obvious questions.

You've identified a very distinctive event, anyone was there will know who you are talking about.