The BBC has reported that Parcelforce, which is a part of the Royal Mail Group, unintentionally exposed an unknown number of signatures and other personal information, such as addresses and names, placing the company at risk of data protection rules. Parcelforce said the error, which happened because of system work, was resolved and apologized to anyone affected.
Parcelforce data exposure blamed on system maintenance (IMG:Parcelforce)
Richard Kirk, Fortify Software’s European Director, said that based on what was reported by the BBC, the issue is almost certainly a scripting issue related to shortcomings during the Web application auditing phase.
“What's interesting about the Parcelforce site is the scripts used on the main landing pages appear to have been developed in-house, rather than the firm relying on third-party interfaces. This suggests to me that the site was developed by an in-house programming team using Omniture's SiteCatalyst software,” he added.
The problem with in-house development of Web sites, says Kirk, is that whilst the staff concerned can be well acquainted with the requirements of the company, they may well lack the facility of looking at the code from an audit perspective.
When the Parcelforce issue was brought to the attention of the BBC, they tested it for themselves and discovered that, “…within the space of 30 minutes, the system handed out details of parcels in Cleveland, Swansea and even awaiting customs clearance en route from Shanghai. These included some parcels that had already been delivered. On the page declaring ‘proof of delivery’, the name and postcode at its destination were shown, alongside a reproduction of the signature of the recipient, the report reads in part.
The Information Commissioner's Office (ICO) told the BBC that they will be contacting Parcelforce to work out what actually happened with the Web site errors and what can be done to prevent it happening again.
“Any organisation which processes personal information must ensure that adequate safeguards are in place to keep that information secure,” said a spokeswoman for the ICO told the BBC.
Things have moved on from the old days of `soak tests' with programs and Web sites, Kirk added, where external professionals are usually asked to conduct a range of tests on the Web site software, even including penetration testing where appropriate.
“Almost certainly this will involve some sort of audit. It is to be hoped that, as well as Parcelforce learning from this situation, that other companies realize it could be their own IT team involved in the corporate red face stakes and review their own Web sites as well,” he said.
“Only by efficient code auditing can major errors like this be avoided. We all learn from mistakes. Some more than others.”
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story