Electronics manufacturer Toshiba had taken insufficient measures to prevent a web application security flaw that exposed customers’ personal data over the Internet last year, the Information Commissioner’s Office said yesterday.
The company had launched a competition on its website, that invited customers to enter their personal data. However, the web application functionality, built by a third party, allowed visitors to view other competition entrants’ details simply by changing a number in the URL.
A concerned customer reported the flaw to the ICO. A total of 20 customers’ data was exposed as a result of the breach.
Although the functionality was built by a third party, the ICO said that Toshiba was at fault for having failed to implement security measures that could have detected the issue.
"It is the commissioner’s view that the organisational and technical security measures implemented by the data controller at the time of this security breach were not sufficient to detect [the] web design error … that resulted in the online compromise of customer data," it said in a statement.
Toshiba has agreed to undertaking to resolve its security issues. These include ensuring that its third party developer has taken the necessary security precautions to protect personal data, and implement security testing on web applications before launch.
This kind of security flaw is known as an ‘insecure direct object reference’. According to the Open Web Application Security Project (OWASP), it is the fourth most common form of web application security flaw.
Web applications must be designed to authenticate users to access only the precise resource they are requesting, OWASP recommends.
"Code review of the application can quickly verify whether [this] approach is implemented safely. Testing is also effective for identifying direct object references and whether they are safe," OWASP advises. "Automated tools typically do not look for such flaws because they cannot recognize what requires protection or what is safe or unsafe.