De Beers Site Security Leak

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

6 Apr 2000 @703

Daily News Data Spill Causes De Beers Site Security Leak By Martin Stone, Newsbytes April 06, 2000

What could have resulted in a major embarrassment for De Beers Diamonds was quickly remedied after a potentially serious security and privacy breach revealed the names and addresses of 35,000 registered site visitors.

The incident occurred on Tuesday when a page containing private information, including names, home and e-mail addresses, and phone numbers was displayed at http://www.adiamondisforever.com after a San Francisco area user hunted for his name on the site's search engine and received a whole database in return.

Jason Catlett, president of Junkbusters, a New Jersey-based online advocacy group, told Newsbytes the disclosure, called a "data spill," was undoubtedly accidental but is not at all uncommon. He said a Webmaster or site administrator can easily err in storing private pages and leave them open to public access.

Chad Yoshikawa, a Bay Area consultant, stumbled across the De Beers security hole while searching for his home address through the on-site engine. He immediately notified the site's administrator who acted quickly to remove the page from public domain. Site officials claim only two visitors accessed the page before it was withdrawn.

Yoshikawa said his wife had entered a diamond contest through the site and had supplied the achieved information.

Catlett, who spoke to Newsbytes from Toronto where he is attending a forum on privacy, said a Canadian bill, approved on Tuesday, would probably establish liability for accidental data spills and added that the bill could easily serve as a model for similar legislation in the US. It is slated for enactment in January, 2001.

He said data spills similar to the De Beers example have happened fairly often in cyberspace. "For example Butterball, a turkey producer, had done a similar thing and it's very easy to do with the slip of a keyboard. There are many threats to privacy. Some are accidental disclosures, and some are deliberate, when your name is sold to telemarketers. In the case of De Beers, it suggests a higher net-worth individual than one who's interested in turkey recipes."

Last year, the Nissan site exposed a collection of more than 24,000 e-mail addresses of potential car buyers, and Catlett said, "I've personally wandered into highly confidential areas on company intranets from public Web space."

The adiamondisforever.com site is part of the Diamond Information Center, a De Beers-sponsored marketing service. The site's privacy policy states, "We collect only the e-mail addresses of those who communicate with us via e-mail, and information volunteered by the consumer, such as survey information and/or site registrations. We also collect the domain name, but not the e-mail address (where possible) of visitors to our Web page. The information we collect is used for internal review and is then discarded, used to improve the content of our Web page, used to customize the content and/or layout of our page for each individual consumers and is not shared with other organizations for commercial purposes. We do not make available the e-mail addresses of those who access our site to other organizations or companies.

http://currents.net/newstoday/00/04/06/news4.html

-- Martin Thompson (mthom1927@aol.com), April 06, 2000


Moderation questions? read the FAQ