Experts say Parcelforce data leaks caused by code audit shortcomings

Fortify says Parcelforce data leaks caused by code audit shortcomings

June 2009 (Eskenzi PR) - Fortify Software, the application vulnerability specialist, says that the Parcelforce data leak - in which Web customers were given access to the entire customer records of seemingly random data relating to other customer's postal consignments - is almost certainly the result of shortcomings at the program code auditing stage.

"From what has been reported by the BBC and others, this sounds like a scripting issue with the site concerned," said Richard Kirk, Fortify's European director.

"What's interesting about the Parcelforce site is the scripts used on the main landing pages appear to have been developed in-house, rather than the firm relying on third-party interfaces. This suggests to me that the site was developed by an in-house programming team using Omniture's SiteCatalyst software," he added.

The problem with in-house development of Web sites, says Kirk, is that whilst the staff concerned can be well acquainted with the requirements of the company, they may well lack the facility of looking at the code from an audit perspective.

Things have moved on from the old days of `soak tests' with programs and Web sites, he explained, adding that his means that external professionals are usually asked to conduct a range of tests on the Web site software, even including penetration testing where appropriate.
Whether this happened or not remains to be seen, but the fact that customer data was leaked means that the company has probably breached the Data Protection Act, meaning that an investigation is likely.

The Information Commissioner's Office is reported to be contacting Parcelforce to work out what actually happened with the Web site errors and what can be done to prevent it happening again, said Kirk.

"Almost certainly this will involve some sort of audit. It is to be hoped that, as well as Parcelforce learning from this situation, that other companies realise it could be their own IT team involved in the corporate red face stakes and review their own Web sites as well," he said.

"Only by efficient code auditing can major errors like this be avoided. We all learn from mistakes. Some more than others," he added.

For more on the Parcelforce Web site errors:

For more on Fortify Software: