Card Factory, the UK-based gift shop and greeting card company, inadvertently made customer photos publicly available on its website. If these could have been used to identify individuals, this would have constituted a personal data breach under the EU GDPR (General Data Protection Regulation).
Customer Iain Row discovered the error when buying a birthday card online from Card Factory. When he uploaded his photo to the organisation’s website, he found it was stored in an insecure way, and that he could access any user’s photos. Row told Mashable:
When I realised that you could (…) display any other user’s photos, I was stunned. I did some further testing and confirmed that a) you can link to the images from anywhere, and b) there are no restrictions on downloads, you can download thousands if you want and the server never kicks you out.
Software engineer Luka Kladaric told Mashable: “This type of vulnerability is called ‘insecure direct object reference’. It’s fairly common and totally unacceptable.”
The error took a week to resolve
According to Mashable, Card Factory became aware of the error on 8 October 2018 but didn’t immediately rectify it. However, on 15 October it said:
The trust and privacy of our customers is of utmost importance to us. After recently being made aware of this issue, we have applied a security update to our website to ensure it cannot happen again.
Card Factory says security measures are in place to protect user information. It has also contacted the Information Commissioner’s Office, which “confirmed that this was not a data breach and no personal data was compromised”.
Understand your cyber security environment
The issue demonstrates how easy it is for retailers to experience cyber security incidents, and how important it is that they are prepared to respond.
At IT Governance, we advise all retailers to fully understand the complex cyber security environment they’re operating in, to minimise risks to them and their customers.