A recent case note issued by the Privacy Commissioner is a reminder that insecure website design is more than just a programming and credit card issue, but can result in potential privacy complaints. Credit card information was not involved in this particular incident – it was personal travel booking details instead:
A customer purchased travel related services from a company. The company sent him an email with a link to his booking details on its website. The customer noticed that the website URL link ended with his booking number. He observed that by changing the booking number, he could view booking details for other customers. He realised that other individuals would also be able to view his booking information.
The case note says that the travel company in question contacted its website design company, who fixed the problem very quickly.
Insecure URLs, or more specifically insecure query strings, are a prime cause of this type of disclosure. However, they are fundamental and somewhat trivial for competent web-designers to secure. In this case, it sounds as if the travel company acted responsibly, and was probably not aware of the flaw, instead relying on its website designer to build a reasonably secure site. If the travel company did suffer loss as a result of poor (insecure) website design, they may be able to seek compensation from the designer – this will depend on the contract between the travel company and the website designer. The travel company could also limit its liability to customers with an appropriate disclaimer (which could take into account that the website was designed by another firm), although it is not possible to exclude all liability in this manner.
Another, often overlooked, way for firms to gain some protection from these types of incidents is technology liability insurance offered by some insurers – for example, Lumley Insurance’s Technology Liability Insurance.