The Aberdeen Press and Journal unintentionally disclosed registered members' personal information

Sep 2, 2008 14:56 GMT  ·  By

Users reported on Monday, according to The Register, that The Aberdeen Press and Journal website made public personal information of its registered members, through a simple URL manipulation. By simply changing a value in a URL, one could read sensitive information like the real name, home address, e-mail address and even telephone number of the newspaper's registered users.

 

The website requires registration for the users who want to write comments, enter various contests, or access other restricted content. The link to read the articles on the newspaper's website is of the form http://www.pressandjournal.co.uk/Article.aspx/xxxxx?UserKey=xxxx (where x represents a digit) for registered users. It seems that, by simply modifying the UserKey value, access was granted to view other pieces of personal information of members.

 

This means it was rather easy to construct a program to iterate through the UserKey values and harvest the private data. Hopefully, no one had time to actually do it, because the company that owns the website acted promptly and the bug was fixed in just a few hours after it came to its attention.

 

The site's Privacy Policy and Conditions of Use notes that “we will ensure that your personal data will not be disclosed except insofar as you have consented to such disclosure or we are required to do so by law.” Obviously, this data leak incident is a breach of this policy on its part, but the company tried to explain the undesired situation. "Apparently, the bug was introduced two or three weeks ago during an upgrade to part of the site," said a company official.

 

The Aberdeen Press and Journal is the oldest newspaper in Scotland, being printed for the first time in 1748 under the name of “The Aberdeen Journal.” The newspaper has a readership of 331,000 adults every week and, according to the UserKey values, of over 80,000 registered online readers.

 

The number of data loss incidents has been gradually increasing over the past years, and the most common cause for them seems to be employee negligence, like file sharing and social networking applications on company laptops, or lost portable storage devices. However, URL manipulation-based leaks also amounted to a fair number of incidents that resulted in loss of private information on university students, hospital patients, customers, credit cards or private corporate files.