Student threatened after Web site security warning

Bill Goodwin

A university student has been threatened with legal action after he contacted a credit card company to report a serious...

Bill Goodwin

A university student has been threatened with legal action after he contacted a credit card company to report a serious security hole in its Web site.

Martin Nickel, a third-year information systems student, discovered that a well documented software bug had left confidential customer details exposed to potential hackers.

After several unsuccessful attempts to persuade the company and its Internet service provider to fix the site, Nickel resorted to e-mailing some of the card firm's customers.

"I thought I had exhausted all the openings to contact the company. The information was fairly sensitive. I felt that if the company did not want to know themselves, its customers should know," he said.

"The company didn't even know it had a UK Web site," said Nickel. "It suggested the site must be a forgery."

The credit card company, whose identity is known to Computer Weekly, initially responded by threatening legal action against Nickel. It has now said it will not proceed any further if he signs a letter acknowledging that he made unauthorised access into its systems.

The case illustrates the dilemmas companies now face when they decide how to respond to a security alert from customers and members of the public.

The credit card company's behaviour contrasts with that of 14 other business Web sites contacted by Nickel who thanked him for the information. Two of the sites offered him a job and a third offered to send gift vouchers.

The software bug, which affects users of Microsoft's Index Server Web software, could allow hackers to view supposedly secure files, including customer details.

Nickel, aged 22, discovered the problem while on a work placement in a hospital. It could have left patients' confidential information exposed to hackers, he said.

Nickel then checked Web sites that he regularly used and discovered that 15 of them, including the credit card company's site, had the same vulnerability.

Although Microsoft has issued three patches for the problem since the beginning of the year, Nickel's research shows that many large organisations have failed to realise the importance of the vulnerability.


For more news on e-Security, click here

Read more on IT legislation and regulation