Simple oversight at TNS Infratest exposes participant information
Technorati Tag: Security Breach
Date Reported:
7/4/08
Organization:
Taylor Nelson Sofres plc (TNS)
Contractor/Consultant/Branch:
TNS Infratest
Victims:
Survey participants
Number Affected:
41,000
Types of Data:
"Name and address, date of birth, email address and phone numbers", "Some of the data included monthly income, education, bank account information, health insurance data, and which credit cards are used"
Breach Description:
"The scientific journal of the Chaos Computer Club (CCC), Die Datenschleuder, reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants."
Reference URL:
Chaos Computer Club e.V.
The Inquirer
Report Credit:
Chaos Computer Club e.V.
Response:
From the online sources cited above:
TOP MARKET RESEARCH firm TNS Infratest/Emnid has 'lost' 41,000 private data records of its survey participants, the Chaos Computer Club (CCC) has revealed in its official organ Die Datenschleuder.
As the magazine reports [1], it was possible for participants to read master data records and consumer profiles without bypassing even basic security measures.
Access to the comprehensive survey results could be gained by simply changing the customer ID number in the browser's address bar.
[Evan] This type of development mistake is all too common. The vulnerability is very easy to find by good pen testers and the bad guys. Actually, I am surprised that we don't hear about more of these types of breaches.
Besides name and address, the data records included date of birth, email address and phone number.
Many records also included very sensitive information: monthly income, education, bank account information, health insurance data, if and which credit cards are used, which electronic devices are used in the household, children's ages and yet more private data.
[Evan] Clearly this is some very sensitive information, all provided by people completing surveys.
"TNS Infratest made a beginner's mistake in their software development. This is unprofessional, grossly negligent and above all deeply worrying," commented CCC spokesman Dirk Engling regarding the incident.
[Evan] Mr. Engling is dead on. I couldn't have said it better myself.
"As this information is very sensitive, where abuse such as identity theft or its use in connection with burglary cannot be excluded, THS Infratest needs to inform the victims immediately," he continued
This case continues a disastrous, never-ending series of information leaks of data held by public and private sector organisations.
The need for more strict control of sensitive data collections is evidenced by the recent snooping affairs by German Telecom as well as the data leaks from the "Meldeämtern" (registration of address offices).
It is obvious here that data security only plays a minor role in companies.
[Evan] Very sad, but very true. Too many organizations still take the wrong view of information security as a "cost center" instead of a business driver. Well designed and managed information security programs, the ones that are aligned with the business and not IT, can actually provide value to the business.
"Especially for companies surveying the most confidential data, the highest security standards have to apply," said Engling.
The press team of the Chaos Computer Club is available for questions at the following addresses:
Commentary:
TNS is a large company, a large company with resources to hire good management, programmers, and information security personnel. What is the excuse for making such a significant, yet simple oversight? There are a number of controls that could have reduced the risk of this occurring.
One a secondary note, but no less important in my opinion. It seems that people (in general) provide too much information willingly, without understanding what the risks could be. Personally, I rarely complete surveys that ask me for personally identifiable information (name, address, etc.). I suggest that you give some serious thought to providing any of your personal information. Ask yourself if you trust the organization collecting your information. If so, question what your trust is based on. Do NOT hesitate to ask questions and err on the side of caution.
Past Breaches:
Unknown
Date Reported:7/4/08
Organization:
Taylor Nelson Sofres plc (TNS)
Contractor/Consultant/Branch:
TNS Infratest
Victims:
Survey participants
Number Affected:
41,000
Types of Data:
"Name and address, date of birth, email address and phone numbers", "Some of the data included monthly income, education, bank account information, health insurance data, and which credit cards are used"
Breach Description:
"The scientific journal of the Chaos Computer Club (CCC), Die Datenschleuder, reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants."
Reference URL:
Chaos Computer Club e.V.
The Inquirer
Report Credit:
Chaos Computer Club e.V.
Response:
From the online sources cited above:
TOP MARKET RESEARCH firm TNS Infratest/Emnid has 'lost' 41,000 private data records of its survey participants, the Chaos Computer Club (CCC) has revealed in its official organ Die Datenschleuder.
As the magazine reports [1], it was possible for participants to read master data records and consumer profiles without bypassing even basic security measures.
Access to the comprehensive survey results could be gained by simply changing the customer ID number in the browser's address bar.
[Evan] This type of development mistake is all too common. The vulnerability is very easy to find by good pen testers and the bad guys. Actually, I am surprised that we don't hear about more of these types of breaches.
Besides name and address, the data records included date of birth, email address and phone number.
Many records also included very sensitive information: monthly income, education, bank account information, health insurance data, if and which credit cards are used, which electronic devices are used in the household, children's ages and yet more private data.
[Evan] Clearly this is some very sensitive information, all provided by people completing surveys.
"TNS Infratest made a beginner's mistake in their software development. This is unprofessional, grossly negligent and above all deeply worrying," commented CCC spokesman Dirk Engling regarding the incident.
[Evan] Mr. Engling is dead on. I couldn't have said it better myself.
"As this information is very sensitive, where abuse such as identity theft or its use in connection with burglary cannot be excluded, THS Infratest needs to inform the victims immediately," he continued
This case continues a disastrous, never-ending series of information leaks of data held by public and private sector organisations.
The need for more strict control of sensitive data collections is evidenced by the recent snooping affairs by German Telecom as well as the data leaks from the "Meldeämtern" (registration of address offices).
It is obvious here that data security only plays a minor role in companies.
[Evan] Very sad, but very true. Too many organizations still take the wrong view of information security as a "cost center" instead of a business driver. Well designed and managed information security programs, the ones that are aligned with the business and not IT, can actually provide value to the business.
"Especially for companies surveying the most confidential data, the highest security standards have to apply," said Engling.
The press team of the Chaos Computer Club is available for questions at the following addresses:
- (preferred)
- 0700-CHAOSFON (0700 - 24267366)
Commentary:
TNS is a large company, a large company with resources to hire good management, programmers, and information security personnel. What is the excuse for making such a significant, yet simple oversight? There are a number of controls that could have reduced the risk of this occurring.
One a secondary note, but no less important in my opinion. It seems that people (in general) provide too much information willingly, without understanding what the risks could be. Personally, I rarely complete surveys that ask me for personally identifiable information (name, address, etc.). I suggest that you give some serious thought to providing any of your personal information. Ask yourself if you trust the organization collecting your information. If so, question what your trust is based on. Do NOT hesitate to ask questions and err on the side of caution.
Past Breaches:
Unknown
Posts Atom 1.0
Comments