Personal details of UK residents – including names, addresses and signatures – has been exposed on Parcelforce’s website after a security breakdown.
An investigation by the BBC revealed that anyone using the mail-tracking feature on Parcelforce’s website could see information from unconnected deliveries. The sensitive information included names, postcode and in some cases signatures.
The breach puts Parcelforce in danger of breaking data protection laws. Parcelforce apologised for the security lapse and said that the problem had been resolved. The firm, part of the Royal Mail Group, said that the problem arose when work was being carried out on its computer system on Wednesday night and Thursday morning.
A spokesperson for the Information Commissioner’s Office (ICO) told the BBC: “Any organisation which processes personal information must ensure that adequate safeguards are in place to keep that information secure. We will be contacting Parcelforce to establish how this security breach occurred and to find out what steps it will be taking to ensure that such a breach cannot happen again.”
The breach was probably caused by code audit shortcomings, according to application vulnerability vendor Fortify.
“From what has been reported by the BBC and others, this sounds like a scripting issue with the site concerned, said Richard Kirk, Fortify’s European director. “What’s interesting about the Parcelforce site is the scripts used on the main landing pages appear to have been developed in-house, rather than the firm relying on third-party interfaces.”
Kirk added that this occasionally means development staff overlook the audit requirements of the code.
“It is to be hoped that, as well as Parcelforce learning from this situation, that other companies realise it could be their own IT team involved in the corporate red-face stakes and review their own websites as well,” Kirk added. “Only by efficient code auditing can major errors like this be avoided. We all learn from mistakes. Some more than others.”
