Home » Topics » Cybersecurity » ICO raps Toshiba over web application security flaw

ICO raps Toshiba over web application security flaw

Avatar photoby Ben Rossi

Electronics manufacturer Toshiba had taken insufficient measures to prevent a web application security flaw that exposed customers’ personal data over the Internet last year, the Information Commissioner’s Office said yesterday.

The company had launched a competition on its website, that invited customers to enter their personal data. However, the web application functionality, built by a third party, allowed visitors to view other competition entrants’ details simply by changing a number in the URL.

A concerned customer reported the flaw to the ICO. A total of 20 customers’ data was exposed as a result of the breach.

Although the functionality was built by a third party, the ICO said that Toshiba was at fault for having failed to implement security measures that could have detected the issue.

"It is the commissioner’s view that the organisational and technical security measures implemented by the data controller at the time of this security breach were not sufficient to detect [the] web design error … that resulted in the online compromise of customer data," it said in a statement.

See also: Global Payments admits credit card breach

Toshiba has agreed to undertaking to resolve its security issues. These include ensuring that its third party developer has taken the necessary security precautions to protect personal data, and implement security testing on web applications before launch.

This kind of security flaw is known as an ‘insecure direct object reference’. According to the Open Web Application Security Project (OWASP), it is the fourth most common form of web application security flaw.

Web applications must be designed to authenticate users to access only the precise resource they are requesting, OWASP recommends.

"Code review of the application can quickly verify whether [this] approach is implemented safely. Testing is also effective for identifying direct object references and whether they are safe," OWASP advises. "Automated tools typically do not look for such flaws because they cannot recognize what requires protection or what is safe or unsafe.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Toshiba
Web App Security

Related Stories

Cybersecurity

Can NIS2 and DORA improve firms’ cybersecurity?

Daniel Lattimer, Area VP at Semperis, explores NIS2 and DORA to see how they compare to more prescriptive compliance models

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.