The BBB and freely available complaint information
Technorati Tag: Security Breach
Date Reported:
10/10/07
Organization:
The Better Business Bureau
Contractor/Consultant/Branch:
None
Victims:
People who have reported a claim to the Better Business Bureau
Number Affected:
Unknown*
*The Better Business Bureau provided 105 million instances of service to consumers and businesses in 2006, of which 49,193,407 were complaints.
Types of Data:
First name, last name, address, email address, and telephone number.*
*One can assume other personal information is contained on some complaint reports. The Better Business does not inform or warn consumers that the information they provide is not secure.
Breach Description:
On October 10th, 2007 The Breach Blog was notified by an informed consumer that The Better Business Bureau does not secure complaint information and information contained within complaints is viewable without authentication or authorization.
Reference URL:
The Drapetomaniacs Blog
Report Credit:
Rich Vazquez
Response:
From the online resource cited above:
"a large portion of service requests appear to be accessible online. When you make an online complaint with the BBB"
”The name and full contact information of the business and consumer, along with a full description of the business transaction, possibly including account numbers or doctors name and care"
"No password and user name is required."
Commentary:
The Breach Blog was notified by Rich Vazquez last week of an apparent breach in consumer privacy by The Better Business Bureau. I evaluated the information provided by Mr. Vazquez and conducted an investigation myself, and concluded that The Better Business Bureau is putting consumers at unnecessary risk.
The Better Business Bureau does NOT:
The risk involved with not properly securing complaint information far outweighs the work involved. The Better Business Bureau complaint system is POORLY DESIGNED.
Mr. Vazquez has repeatedly informed The Better Business Bureau of this breach and has received no solution to the problem. Consumers are encouraged to contact The Better Business Bureau and ask them why complaint data is not scrubbed of confidential information and why there is no security around the confidentiality of such data.
Past Breaches:
Unknown
Date Reported:10/10/07
Organization:
The Better Business Bureau
Contractor/Consultant/Branch:
None
Victims:
People who have reported a claim to the Better Business Bureau
Number Affected:
Unknown*
*The Better Business Bureau provided 105 million instances of service to consumers and businesses in 2006, of which 49,193,407 were complaints.
Types of Data:
First name, last name, address, email address, and telephone number.*
*One can assume other personal information is contained on some complaint reports. The Better Business does not inform or warn consumers that the information they provide is not secure.
Breach Description:
On October 10th, 2007 The Breach Blog was notified by an informed consumer that The Better Business Bureau does not secure complaint information and information contained within complaints is viewable without authentication or authorization.
Reference URL:
The Drapetomaniacs Blog
Report Credit:
Rich Vazquez
Response:
From the online resource cited above:
"a large portion of service requests appear to be accessible online. When you make an online complaint with the BBB"
”The name and full contact information of the business and consumer, along with a full description of the business transaction, possibly including account numbers or doctors name and care"
"No password and user name is required."
Commentary:
The Breach Blog was notified by Rich Vazquez last week of an apparent breach in consumer privacy by The Better Business Bureau. I evaluated the information provided by Mr. Vazquez and conducted an investigation myself, and concluded that The Better Business Bureau is putting consumers at unnecessary risk.
The Better Business Bureau does NOT:
- Do an adequate job to protect the data they collect as part of the complaint process.
- Put controls around the type of data that could be contained in a complaint.
- Properly warn consumers that the data they enter into a complaint could be accessed and/or used by anyone.
- Properly warn consumers not to include account numbers, Social Security numbers, or other potentially sensitive information.
The risk involved with not properly securing complaint information far outweighs the work involved. The Better Business Bureau complaint system is POORLY DESIGNED.
Mr. Vazquez has repeatedly informed The Better Business Bureau of this breach and has received no solution to the problem. Consumers are encouraged to contact The Better Business Bureau and ask them why complaint data is not scrubbed of confidential information and why there is no security around the confidentiality of such data.
Past Breaches:
Unknown
Posted by Evan Francen at 10/14/2007 6:42 PM 
Categories: Poor Business Practice, The Better Business Bureau
Categories: Poor Business Practice, The Better Business Bureau
Posts Atom 1.0
Comments