ICO Warns Toshiba Over Data Breach 27
hypnosec writes "Toshiba Information Systems has been given a slap on the wrist by the Information Commissioner's Office (ICO), following a data spillage. This happened during an on-line competition that Toshiba organized last year. Back in September 2011, a concerned member of the public contacted the ICO and informed the body that some data pertaining to those registered for the competition was accessible. In fact, the personal details of 20 entrants were compromised in a security flaw on the site. Those details included names, addresses and dates of birth, along with other contact information. The ICO investigated and found that Toshiba's security measures weren't thorough enough, and hence, didn't detect the vulnerability — from a mistake, made by a third-party web designer. A fine hasn't been levied, but Toshiba has signed an undertaking to ensure this doesn't happen again."
Re:I'm shocked (not really) (Score:5, Insightful)
Or they could slow down, and write less code, more carefully.
Re:I'm shocked (not really) (Score:4, Insightful)
I agree that would be far better. However, in reality, it sometimes fails. This can be due to feature creep, overly high workloads (esp at some sweatshop web companies, like HIT/Heritage used to be - I dealt with them once, and wish I could have run away, but it wasn't my money), a library that got changed, or even some junior developer committing his code by mistake and having it appear in production when he meant to send it to his super.
SQL injection still appears to happen almost constantly, even though most web languages have very good safeguards against it, and high profile places still show vulnerabilities, so it is still high on the list of security flaws next to XSS.
I've been on both sides - times when I have the time to write good clean code, which has everything completely buttoned up. But I've also been a victim of those times I echoed a variable in testing and it appeared in production when just the right situation arose. I'm not proud of it, but no one is perfect. Being up all night hunting down an obscure bug means sometimes you don't clean things out the way you should.
I wish I had the leisure to take my time at it. However, reality can be the boss and the client screaming their heads off, as you try to fix a showstopper in a feature or form that was added last minute by sales due to a miscommunication, or unseen need. Companies are less people do more work, not the other way around.