I usually withhold information about a leaky site until it’s been secured, but when a company repeatedly fails to follow up and ignores notifications by phone and email, and when the company responsible for their site also ignores notification, it’s time to go public, I think. More than one month ago, I was contacted by…
Category: Exposure
Beauty site lets anyone read customers’ personal information
Darren Pauli reports: Popular online cosmetics site Strawberrynet has asked customers if a function that allows anyone to retrieve its customers names, billing addresses, and phone numbers with nothing more than an email address is a bug or a feature. The bug was first disclosed almost exactly a decade ago and resurfaced after security man Troy Hunt reported the flaw to…
AU: Miner Norton Gold Fields blames human error for leak of employees’ personal and financial details
Jasmine Bamford and Sam Tomlin report: The operators of a Kalgoorlie gold mine have blamed “human error” after the personal and financial details of several hundred employees were emailed to one of their suppliers. Staff at Norton Gold Fields have been advised to monitor their bank accounts, with their names, bank details and tax file…
UK: Sage really has had it hands full this week…
In addition to dealing with what appears to be an insider breach that snagged the information of more than 200 Sage corporate customers, Sage also got a phone call from Chris Vickery this week that kept them even busier. According to Chris, he discovered about 20 misconfigured MongoDB installations using Sage’s X3 software. Originally thinking…
AU: Albany hospital staff avoid censure over confidential patient document find
ABC reports: Staff at Albany’s public hospital have avoided serious consequences after confidential patient information was found by a member of the public in the building’s courtyard. A double-sided paper document listing the personal details of 11 mental health patients, their reason for admission and their risk factors was found in the courtyard of the Albany…
UK: Hampshire County Council fined £100,000 after confidential social services papers found
Here’s a case where as part of her deliberations, the ICO considered that a council should have known they were in contravention of the DPA because the ICO had issued three monetary penalty notices to other entities who had left confidential data behind in decommissioned buildings during the relevant time period. From the Information Commissioner’s Office:…