One of the my big takeaways from Bruce Schneier’s Secrets and Lies was the true scope of the potential for security risk – I had long suspected, but it was an eye-opener. So I suppose my attitude now is that I now expect a dozen or so reports like this every week. Still, each one makes you shake your head. Via Australian IT, a security consultant who logged onto Acer’s Aussie site was able to see detailed information about other customers and their orders. Money quotes:
The online shopping portal www.shopacer.com.au
revealed purchase order information including names, delivery
addresses, emails and contact numbers of customers who had recently
placed orders at the site.
It’s understood that customer credit card numbers were not disclosed.
Customers who logged on to the site to check the status of their
equipment orders via a bookmark stored in their web browser were freely
able to access order details of other customers.
IT security consultant Alex Lane discovered the problem while
checking the status of his equipment order and immediately reported it
to Acer today.…
Acer director of e-commerce, Des Paroz has apologised to customers for the security breech.
He said it was caused by a software glitch that had gone unnoticed since the site was last upgraded three months ago.