The scientific journal of the Chaos Computer Club (CCC), Die Datenschleuder, reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants.
As the magazine reports [1], it was possible for participants to read master data records and consumer profiles without bypassing even basic security measures. Access to the comprehensive survey results could be gained by simply changing the customer ID number in the browser's address bar.
Besides name and address, the data records included date of birth, email address and phone number. Many records also included very sensitive information: monthly income, education, bank account information, health insurance data, if and which credit cards are used, which electronic devices are used in the household, children's ages and yet more private data.
"TNS Infratest made a beginner's mistake in their software development. This is unprofessional, grossly negligent and above all deeply worrying," commented CCC spokesman Dirk Engling regarding the incident. "As this information is very sensitive, where abuse such as identity theft or its use in connection with burglary cannot be excluded, THS Infratest needs to inform the victims immediately," he continued.
This case continues a disastrous, never-ending series of information leaks of data held by public and private sector organisations. The need for more strict control of sensitive data collections is evidenced by the recent snooping affairs by German Telecom as well as the data leaks from the "Meldeämtern" (registration of address offices). It is obvious here that data security only plays a minor role in companies. "Especially for companies surveying the most confidential data, the highest security standards have to apply," said Engling.
In view of the severity of the loss, the CCC sees itself vindicated in its calls [2] for strict regulations for public and private sector data collectors.
The press team of the Chaos Computer Club is available for questions at the following addresses: