14 DAY TRIAL // The Information Commissioner’s Office (ICO) reveals that because of a security flaw on its website, Toshiba exposed the personal details of 20 individuals that signed up to participate in a competition.
In September 2011, the ICO was notified that the names, addresses, dates of birth and contact information of the contestants were accessible. It later turned out that the incident was a result of a web design flaw made by a third party developer.
The exact nature of the vulnerability is not mentioned, but Toshiba representatives refer to it as a “security fault with the incremental numbering of competition entrants registration URL.”
The information was available for a period of two months. But after the incident was addressed Toshiba representatives promised that in the future they would obtain guarantees from third parties regarding the quality of web applications, with the purpose of avoiding such unfortunate situations.
Each new application that will be made available under the Toshiba logo will be thoroughly tested before being launched.
“It is vital that, as ever-increasing amounts of our personal information are collected online, companies have the necessary safeguards in place to keep this information secure,” said Stephen Eckersley, the ICO’s head of enforcement.
“We are pleased that Toshiba Information Systems (UK) have committed to ensuring that any changes to applications on their website are thoroughly tested by both the developer and themselves, in order to keep the personal information they are collecting secure.
“We would urge other UK organisations with interactive websites to make sure they have suitable checks in place before collecting peoples’ details online.”
Fortunately, in this case the number of exposed individuals is fairly small compared to other similar incidents. However, the same application may have been easily used to store hundreds and maybe even thousands of record sets that might have contained even more sensitive information.
Hopefully, Toshiba and others will learn something from this incident.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile or follow me at @EduardKovacs1