Better testing may have prevented Parcelforce data breach

The data breach at Parcelforce that exposed customer records online points to inadequate vulnerability testing of the site, says security firm Fortify Software.

The data breach at Parcelforce that exposed customer records online points to inadequate vulnerability testing of the site, says security firm Fortify Software.

A BBC investigation revealed last week that when some customers entered their parcel tracking numbers online, they were able to gain access to other customers' delivery details.

Richard Kirk, Fortify's European director, said the fault sounds as if it was caused by scripts used on the main landing pages of Parcelforce's website, which appears to have been developed in-house.

A common problem is that while in-house developers are well acquainted with the requirements of the company, they may lack the facility of looking at the scripting code from an audit perspective, he said.

According to Kirk, such errors can be avoided only by efficient code auditing, including penetration testing where appropriate.

Parcelforce claims to have fixed the problem, but UK privacy watchdog the Information Commissioner's Office (ICO) is to investigate to find how the breach occurred to prevent it from happening again.

"Almost certainly this will involve some sort of audit," said Kirk.

All UK companies should review all code on their websites to reduce the risk of contravening the Data Protection Act and damaging their reputation by accidentally exposing customer details online, he added.

Read more on IT risk management

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close