In two separate cases, major companies in the U.S. and U.K. recently acknowledged that significant amounts of customer data were mistakenly made available online.
The Guardian reports that some customers logging into their accounts at the U.K. mobile phone company Three found themselves viewing other customer’s names, addresses, phone numbers and call histories.
Three customer Andy Fidler told the newspaper he was able to view a different customer’s entire account when he logged into the website on Sunday. “I managed to successfully download a complete stranger’s phone bill,” he said. “All I did was click on the link to bring up my bill. It included the name, address, how much they were paying, the phone numbers they had rung and texted.”
The company told the Guardian it’s investigating a technical issue. “We are aware of a small number of customers who may have been able to view the mobile account details of other Three users using My3,” a spokesman said. “No financial details were viewable during this time and we are investigating the matter.”
The U.K. Information Commissioner’s Office is also investigating the incident. “Data protection law requires organizations to keep any personal information they hold secure,” a spokeswoman said. “It’s our job to act on behalf of consumers to see whether that’s happened and take appropriate action if it has not.”
High-Tech Bridge CEO Ilia Kolochenko told eSecurity Planet by email that the incident serves as a great example of how our personal data ends up being aggregated and processed in several different ways. “For consumers, it means that even if their laptop and mobile phone are [well] protected, they can still become victims of data theft,” he said. “Cloud backups, remote storage and social platforms are just a few examples of losing control over our information.”
The exposed information included email addresses and product codes for items the customers were interested in buying, as well as IP addresses, dates and times. In some cases, phone numbers were also included.
BuzzFeed also notes that the Saks website serves some pages to logged in customers over unencrypted connections.
The data was taken offline after BuzzFeed News notified Saks owner Hudson’s Bay Company of the isssue.
In a statement provided to BuzzFeed, a Hudson’s Bay spokesperson said, “We take this matter seriously. We want to reassure our customers that no credit, payment, or password information was ever exposed.”
“The security of our customers is of utmost priority and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses,” the spokesperson added. “We have resolved any issue related to customer phone numbers, which was an even smaller percent.”
AlienVault security advocate Javvad Malik told eSecurity Planet by email that the incident is a reminder that companies shouldn’t underestimate the value of all the data they store. “It’s not just credit card information, passwords or intellectual property that has value; rather, all data, particularly relating to customers, needs to be protected,” he said.
“In the past, it may have been only large financial institutions, governments or organizations behind high-profile sites that needed to worry about being attacked; but now, any and all sites, regardless of size, are a potential target,” Malik added.
In response, Malik suggests companies take the following steps to protect themselves:
- Identify all of their critical assets, which includes knowing where sensitive information resides and where it can be accessed from
- Undertake vulnerability scans and penetration tests to identify where vulnerabilities exist and how they can be exploited
- Monitor for signs of inappropriate access through measuring baseline activity and correlating events in a SIEM, along with threat intelligence indicators
- Have a well-defined incident response plan in place