ICO Warns Toshiba Over Data Breach 27
hypnosec writes "Toshiba Information Systems has been given a slap on the wrist by the Information Commissioner's Office (ICO), following a data spillage. This happened during an on-line competition that Toshiba organized last year. Back in September 2011, a concerned member of the public contacted the ICO and informed the body that some data pertaining to those registered for the competition was accessible. In fact, the personal details of 20 entrants were compromised in a security flaw on the site. Those details included names, addresses and dates of birth, along with other contact information. The ICO investigated and found that Toshiba's security measures weren't thorough enough, and hence, didn't detect the vulnerability — from a mistake, made by a third-party web designer. A fine hasn't been levied, but Toshiba has signed an undertaking to ensure this doesn't happen again."
ICO? (Score:1)
Does anyone care?
Re:ICO? (Score:5, Informative)
Re:ICO? (Score:4, Interesting)
Ah yes, that explains it. They're British.....
"No fine, but you promise not to do it again right?"
Of course, if you are not favored it could be worse.
Seriously? A signed paper? That's it? I can see the people at Toshiba rolling their eyes when they got it.
Re: (Score:2)
Seriously? A signed paper? That's it? I can see the people at Toshiba rolling their eyes when they got it.
The ICO has the power to levy serious fines without much in the way of judicial oversight, and they're not afraid to use this power. If you want to avoid paying the fine, you have to take them to court to get it overturned.
Whenever a case like this happens, they write up a nice report in clear English explaining precisely what happened and publish it far and wide, along with details of what punishment they've enacted.
Usually, the size of the punishment is related to:
- How serious the breach was. A breach in
Re: (Score:3)
I'm shocked (not really) (Score:5, Informative)
So, a web developer that was hired from outside screwed up his code. That happens almost every day. If not far more often.
Seriously, if companies were to get fined for every bad piece of code or stupid bobby tables vulnerability (obligatory xkcd reference), they would all go out of existence. Mistakes and bad code happen, especially with outside contactors. Are they going to start fining companies for not encrypting hard drives too?
20 people COULD have been affected, and this is supposedly big news. However, thousands of people were affected by the far more intrusive credit card breaches that seem to happen almost monthly. I think the ICO should be focusing their resources elsewhere.
Re:I'm shocked (not really) (Score:5, Insightful)
Or they could slow down, and write less code, more carefully.
Re:I'm shocked (not really) (Score:4, Insightful)
I agree that would be far better. However, in reality, it sometimes fails. This can be due to feature creep, overly high workloads (esp at some sweatshop web companies, like HIT/Heritage used to be - I dealt with them once, and wish I could have run away, but it wasn't my money), a library that got changed, or even some junior developer committing his code by mistake and having it appear in production when he meant to send it to his super.
SQL injection still appears to happen almost constantly, even though most web languages have very good safeguards against it, and high profile places still show vulnerabilities, so it is still high on the list of security flaws next to XSS.
I've been on both sides - times when I have the time to write good clean code, which has everything completely buttoned up. But I've also been a victim of those times I echoed a variable in testing and it appeared in production when just the right situation arose. I'm not proud of it, but no one is perfect. Being up all night hunting down an obscure bug means sometimes you don't clean things out the way you should.
I wish I had the leisure to take my time at it. However, reality can be the boss and the client screaming their heads off, as you try to fix a showstopper in a feature or form that was added last minute by sales due to a miscommunication, or unseen need. Companies are less people do more work, not the other way around.
Re: (Score:2)
Being up all night hunting down an obscure bug means sometimes you don't clean things out the way you should
True. And inevitable. If you write enough code under pressure you are bound to overlook something, no matter how much of a genius you are.
Sadly competitive marketplace and clueless HR/MBA drones and accountants that are given free reign are the norm, so more and more work gets done like a race in stead of like a real development. What's next? Equipping the shareholders' kids with SCRUM and letting them loose on the devs?
Re: (Score:3)
Mosts developers are not able to tell their boss or client that they want to "slow down, and write less code, more carefully" if they want to keep their jobs.
I don't think it matters much that the developer was somebody that Toshiba hired and not a full-time Toshiba employee. Toshiba is still responsible. If you're going to keep users' information, you better be a little more careful. Or, set better standards for your contract workers.
It's not
Re: (Score:1)
Or they could slow down, and write less code, more carefully.
Mosts developers are not able to tell their boss or client that they want to "slow down, and write less code, more carefully" if they want to keep their jobs.
I like the part where you left out what they were responding to.
The part where it was suggested to fine companies that allow bad code, which would be a motivation for the boss/client to allow the developers to slow down and write less code, more carefully.
Leaving that out makes your argument much stronger.
Re: (Score:1)
If only that were the case. As usual, let's go with the car analagy. A person gets a ticket for speeding. That may slow them down for a week or two, but they will enevitably be speeding again when they are in a rush, or old habits take over. Fines are a slight deterrent, but they are in no way the most effective discipline method.
Now, on to corporations. They are trying to make money. they want the lowest price. In fact, they are basically required to get it in most situations. They are told constantly by t
Re: (Score:2)
Or they could slow down, and write less code, more carefully.
Or just hire someone to do security testing. TFA implies there was some kind of automated vulnerability scanner involved, but clearly that isn't a substitute for a human being looking at it.
Re: (Score:2)
Seriously, if companies were to get fined for every bad piece of code or stupid bobby tables vulnerability (obligatory xkcd reference), they would all go out of existence.
Good. Then there would be a space in the market for a competent company to take over.
Re: (Score:1)
Amen. As a person who bids a lot, I've seen the shoddy guy win too many times, and then had to fix it.
Hunger for personal details (Score:2)
But I think the more pertinent question is, why did Toshiba have to collect so much personal details just for a competition? Why do they need the date of birth? Just ask for age, that too, only if necessary for some legal / regulatory reasons.
So Buttery (Score:1)
Re: (Score:1)
data spillage (Score:2)
What kind of mop do you think that would require?