Interesting case – data breach due to ticket ID enumeration in a standard software URL (developed by a service provider) – CNIL sanctions data controller.
- CNIL was informed in February 2017 of a security vulnerability in the URL http://darty.epticahosting.com/selfdarty/register.do, which would have allowed access to several thousand customer data of the company DARTY.
- Online check by CNIL in March 2017 reveals security vulnerability in http://darty.epticahosting.com/selfdarty/register.do , a form allowing the company’s customers to submit a service request after-sale. Once the form has been filled in with an e-mail address and a password, a hypertext link corresponding to the registration number of the request allowed access to its follow-up. The identifier (ticket number) was contained in the URL as follows: http://darty.epticahosting.com/selfdarty/requests.do?id= XXX.
By changing the ID number in this URL, an attacker would be able to access customer service request forms completed by other customers.
- 912,938 files were potentially accessible. During the inspection, 7,417 of them were downloaded for sampling. It was found that personal data of customers were accessible on cards, such as their surname, first name, postal address, e-mail address and their orders.At the end of the audit, the delegation contacted the company to inform it of the existence of this personal data breach.
- On premise inspection by CNIL revealed that support form was developed by a service provider.
- Controller should have checked access controls and tested for vulnerabilities.
- Subcontractor based in India to process sensitive personal data without adequate data processing / data transfer grounds
- Lack of contractual definition of adequate technical and organisational measures in India
- Sensitive personal data (with high severity) sent via unencrypted email
- Sensitive personal data on FTP server without restricted access controls
- Patient found his/her data via Internet search