23 Mar 2010

Durex Condom Online Data Breach

On 5th March 2010, I discovered a data breach on the Durex India website Kohinoor Passion. I had earlier ordered Durex products off their estore, and my order had arrived by courier in a nondescript shipping package as promised. Later, I passed an eye over the invoice enclosed with my order. I noticed that it appeared to have been printed off a website, since the url of the website was printed at the bottom of the invoice. Since my computer was switched on and connected to the internet at the time, I idly entered the url in my browser, and received a surprise when my invoice came up on screen, looking exactly as printed – showing my name, contact information, products ordered and amount invoiced. I considered that my login to the Durex estore might still have been alive from my shopping session, and so tried again after clearing my browser history, cache and cookies. For good measure, I even restarted my computer. I could still access my invoice online. Now my curiosity was piqued. I noticed that my order number was part of the url, and so randomly changed this number. To my amazement, another invoice came up, with the order details of someone else who had ordered Durex products online at the estore. Each Durex estore invoice looks something like this: Now replace the billing and shipping details with actual online shoppers’ names, postal and email addresses, and phone numbers, and you’ll realize the enormous amount of information that was at an unsecured location, freely available to anyone with a connection to the internet. (The main admin page http://www.kohinoorpassion.com/admin/ required a username and password, but apparently the subpages didn’t.) I immediately starting emailing the following people (using my real name and email address) informing them of the breach: 13:39    TTK-LIG Customer Service (TTK-LIG is the marketer of the Durex brand in India) 14:49    SSL International Open Door (SSL is the owner of the Durex brand worldwide) 20:22    Lisa Caton, Consumer Relations Manager at SSL (I received a vacation response) 20:29    Garry Watts, Chief Executive at SSL 20:50    Paul Doherty, Head of Corporate Affairs at SSL 20:54    Consumer Relations at SSL When I went to bed, the data breach was still active, and more invoices seemed to have been added that day. When I checked the next morning, the website had been modified, and any direct invoice access attempts redirected to the admin login page. Although I appreciated the speed taken to solve the problem, especially on a weekend, it is anyone’s guess how long the data breach was active before I discovered it, or how many customer records were accessed in that time from unauthorized locations.

FAQs

Q. Did you hack into the Durex customer database?
A. No, the Durex customer database was freely available online. I neither had to guess a username and password, nor did I have to spoof my IP address or use any other tricks to access the invoices online.
Q. What was the date range of invoices you could access?
A. The earliest invoice I noticed had been issued on 23-Feb-2009. That means a range of 376 days before 6-Mar-2010, the date the breach was plugged.
Q. Does that mean the data breach was active for 376 days before you discovered it?
A. I don’t know. By some coincidence, the breach could have opened up just a few minutes before I tried accessing the website on 5-Mar-2010, maybe as an accidental result of a website maintenance happening at that very instant. However, that possibility seems unlikely. TTK-LIG and SSL are the right people to answer this question, since they have access (I hope) to their website change logs.
Q. Yikes! I just looked through my records and notice that I have an invoice issued in the date range mentioned. Did someone other than SSL or TTK-LIG access it?
A. I have no idea, since I do not have access to the kohinoorpassion.com website logs. What is quite certain though, is that your invoice was publicly accessible on the internet for some amount of time, and in that duration anyone could have downloaded it easily.
Q. I haven’t bought any Durex products, but I did buy Kohinoor products online. Could my information have been compromised, too?
A. Since both Durex and Kohinoor likely use the same admin website, it is possible that your details were made public too. Please contact TTK-LIG regarding this, and update me if they reply.
Q. After you brought the breach to the notice of Durex, have they made the site completely secure?
A. Since I am not a data security expert, I cannot comment on this. The admin section of the site (which contains the customer information) is still on the internet, though it now requires a username and password to access. The logic behind choosing this (arguably low) level of security needs to be questioned. Studies have shown that it is statistically not tough to guess someone’s password.
Q. Who can I contact to express my concern regarding this breach?
A. The Contacts page has a list of some people you can write / email / call / fax.
Q. Who are you?
A. I am a customer of the Durex India estore, whose records have been compromised by this data breach. Beyond that, I have no desire to reveal anything more about myself.
Q. Why create this website? What do you want?
A. I’d like an unconditional apology from TTK-LIG Limited or SSL International plc, for being negligent with my personal data.
Q. What will you do with the data that you could access from the Durex website?
A. I will not share the personal data with anyone for any reason, period. Also, I will not contact anyone in the list personally, unless they contact me first. Once SSL and/or TTK-LIG contacts all us affected customers and releases an apology and statement that addresses all concerns satisfactorily, I will delete all traces of the data from my system.
Q. I am an affected customer too. Since you know about me now, I’d like to know more about you, too.
A. That’s a fair argument, but with such a large number of affected customers out there, I cannot risk letting my identity be leaked by any one of them, and soon becoming public knowledge. I have a long career ahead of me, and do not want to spend it being known as the person who blew the whistle on Durex.
Now if my identity becomes public for any reason, I will know that someone at SSL or TTK-LIG is responsible, since they are the only people who know who I am. And that will be a far more serious incident than an unintentional release of information (I’m guessing and hoping this data breach is unintentional).
Q. Why is this such a big deal?
A. Besides the obvious, Durex had posted a privacy policy on their website, which I went through repeatedly before placing my order. The privacy policy begins by stating:
“When you visit the Durex website you may be asked to provide personal information, such as your name, mailing address, email address, telephone number, and other personal information. SSL International plc, the owners of the Durex brand, will ensure the privacy, safety and security of this information.”
Clearly, SSL International plc has not done a very good job of ensuring.
If SSL believes that it is not responsible for TTK-LIG’s mess-ups, they should navigate through the Durex website and notice how it seamlessly leads to the Durex India estore, keeping the Durex brand consistent, and without any warning that the user was entering an area where SSL policies were not applicable. In any case, TTK-LIG (the operator of the India estore) has posted its own privacy policy on the Durex India website, which states:
“Under no circumstances will user information be shared in any manner with external organizations for any reason whatsoever except to the group companies of TTK-LIG Limited for use for purposes stated herein.”
Q. You dumb nut, don’t you know better than to order products of a sexual nature online? Especially in India, a country not really known for upholding privacy values?
A. I know, I know.. I am not the sort of person to shy away from visiting a chemist. However, a lot of products on the Durex estore are not commonly available at chemists. I know this, because I have specifically asked for them at multiple stores. After looking at the Durex India website a bunch of times over many months, and learning more about the available products, order process and privacy policy, curiosity finally got the better of me and I went ahead and ordered. Chalk it up as yet another of the dumb things that people will do for (good and safe) sex.
Also, hindsight is 20/20 (or, since we follow metric in India, 6/6)
Q. Will you still buy Durex?
A. Yes, I believe they make the best available-in-India products in their market segments. I just hope they make their entire product range widely available in stores, since I will be very reluctant to buy them online now.
]]>