The data breach at Parcelforce thatexposed customer recordsonline points to inadequate
vulnerability testing of the site, says security firm Fortify
Software.
A BBC
investigation revealed last week that when some customers
entered their parcel tracking numbers online, they were able to
gain access to other customers' delivery details.
Richard Kirk, Fortify's European director, said the fault sounds
as if it was caused by scripts used on the main landing pages of
Parcelforce's website, which appears to have been developed
in-house.
A common problem is that while in-house developers are well
acquainted with the requirements of the company, they may lack the
facility of looking at the scripting code from an audit
perspective, he said.
According to Kirk, such errors can be avoided only by efficient
code auditing, including penetration testing where appropriate.
Parcelforce claims to have fixed the problem, but UK privacy
watchdog the Information Commissioner's Office (ICO) is to
investigate to find how the breach occurred to prevent it from
happening again.
"Almost certainly this will involve some sort of audit," said
Kirk.
All UK companies should review all code on their websites to
reduce the risk of contravening the Data Protection Act and
damaging their reputation by accidentally exposing customer details
online, he added.