Durex leak reveals customer details, in a week where data loss has risen to incredible levels
A website selling Durex condoms in India suffered a data breach that revealed customers' names and orders.
Databreaches.net reported that on 5th March, a customer reportedly discovered that anyone could view his and other customers' orders on the kohinoorpassion.com website by simply inserting a different order ID number in the URL without any login required.
Available information included names, addresses, phone numbers and the type of products ordered, and it claimed that from what a customer could determine, the earliest order exposed online dated back to 23rd February 2009, but there is no confirmation as to for how long the customer records might have been accessible without a login. According to the customer's website about the breach, no credit card or financial data were exposed.
The customer said that he contacted TTK-LIG, the marketer of the Durex brand in India and manufacturer of Kohinoor condoms, and SSL International the owner of the Durex brand worldwide about the problem and that by the next day, the site appeared to be better secured
The customer kept a blog of the incident and subsequent legal dealings with TTK-LIG's lawyers. This can be viewed here.
Amichai Shulman, CTO of Imperva, claimed that victims of data breaches need to look beyond basic vulnerabilities such as SQL injections.
He said: “It is always amazing that companies don't think their site defences will be probed by increasingly sophisticated hackers, let alone inquisitive internet users.
“The fall-out from this saga is that the company has now been severely embarrassed internationally, and that's before any legal or regulatory action is involved. Companies need to wake up and smell the coffee when it comes to website security. A failure to make a modest investment at the development and implementation stages can result in considerably more cost - and damage to reputation - in the longer term."
In a week where data loss has been brought back to the fore, the problem was at its paramount with the loss of the data of 3.3 million people by the Educational Credit Management Corporation (ECMC).
Dave Everitt, general manager, EMEA at Absolute Software, said that what was most alarming about that loss was the fact that it failed to get the basics right.
He said: “Having so much data held on one portable device with inadequate security measures in place is unacceptable. It's crucial for organisations to understand the importance of knowing where your data is at all times.
“It might sound obvious, but IT departments need to be managing and monitoring all devices on a daily basis. They need to be certain they have complete visibility over who is using which device, especially as organisations are operating with greater mobility, which increases the risk of data loss.
“Getting the basics right means that if the worst happens, organisations know exactly what devices to shut down and what data is likely to be at risk. It is the ability to then delete, track and even recover the data that will put IT back in control of its assets and save the reputation of the organisation.”
Anders Pettersson, CSO at BlockMaster, called the incident ‘another scenario where data security has failed'.
He said: “These are the risks which materialise as a result of slow adoption of security technologies and a lack of responsibility from end-users. Why is there an option to export 3.3 million people's data onto anything but a secure device? There is no reason to lose data on USBs if they are misplaced today.
“To add to this, the upcoming Information Commissioner's Office penalty should hopefully start to make businesses think more proactively about security. Businesses and the public alike should not have to worry about their details falling into the wrong hands. A secure device with instant password protection and automatic hardware encryption solves one of the most pressing issues, the USB problem, and that is the first piece of the security puzzle.”