back to article Grange Hill firm's website exposed thousands of CVs

Lime Pictures had been mistakenly displaying thousands of individual applicants' personal details on the job section of its website. We reported yesterday on what initially appeared to be an isolated incident affecting just one applicant. The Grange Hill and Hollyoaks TV production company had been contacted by a concerned Reg …

COMMENTS

This topic is closed for new posts.
  1. Tim J

    Kudos to El Reg

    Kudos to The Register and it's nosy readers for sticking with this - data breaches like this really are total scandalous. I fear things are going to get far worse before they get better. Shame on Lime Pictures for being so careless, and further shame on them for failing to ensure the problem had been fixed on Friday when they were informed of it.

    Every organisation that has a database of personal information really needs to look carefully at their data protection strategy. I hope that the Information Commissioner's Office comes down like a ton of bricks on those who screw up.

  2. Anonymous Coward
    Anonymous Coward

    Someone is telling porkies...

    Well Vicky,

    how can you explain the fact people where still viewing everyones details, and i'm sure your hosting company will prove that people where viewing the DB via the traffic anaylsis.

    Again, i was the person who alerted the Reg, and the persons details who i saw, and alerted her, and to this day, i still haven't been contacted by Lime pictures to confirm my details haven't been seen by whoever viewed that page.

  3. Paul Hurst

    Rubbish!

    "Owen insisted that The Reg, and its readers, had got their facts wrong and denied that the personal details were still viewable yesterday."

    As DoppelFrog pointed out yesterday the page was indexed by google.

    http://www.google.co.uk/search?q=Lime+Pictures+online+application&ie=utf-8&oe=utf-8&aq=t

    The cached version has also changed, this time to a fella called Chris.

    The information is still out there on the web, just not at the same web address.

  4. Anonymous Coward
    Anonymous Coward

    Google Cached

    As commented on yesterday by another poster, it's critical to point out that some of the information is STILL available via the Google internet cache due to their negligence.

    If you applied for a post there it's critical that you to raise deep concerns over this and bring them to court for breach of data protection - im no legal expert but I'm sure there is a law that they can be held accountable for.

    I also found the information about the woman mentioned yesterday, her full address and phone number was available.

    Of course I have immediately destroyed such data by clearing my IE history and erasing my own memory!!! ;-)

    P.S. I found out the other day that about a year ago I used my debit card at TK Maxx! A similar breach of personal info there too.

  5. Anonymous Coward
    Anonymous Coward

    Google Cache

    Whilst the site may have been taken down yesterday, normally once these stories are reported, when you try and emulate the author of such articles.. you end up not being able to replicate the problem.

    I for one know the site was still giving me the information yesterday (albeit through google-cache) and I could view the details of the lady mentioned in the El Reg article!

    Good work El Reg.. let the Data Protection Act Implementation Team talk to you.

  6. Paul Hurst

    RE: Kudos to El Reg

    "Every organisation that has a database of personal information really needs to look carefully at their data protection strategy. I hope that the Information Commissioner's Office comes down like a ton of bricks on those who screw up."

    I do feel companies are not punished enough, a while back when nationwide had a laptop stolen, they were fined (big).

    My "favourite" bit was when nationwide said;

    "In addition, we are taking the opportunity to write to all our customers to reassure them and to remind them of the practical steps they should take to keep their information secure."

    Yep indeedy, they will remind us to keep our data safe(!)

    They must have ordered a pallet of salt especially...

  7. Andrew Bright

    This would never happen

    If Tucker was still there..

  8. Steve Anderson

    Have I got my facts wrong?

    "Owen insisted that The Reg, and its readers, had got their facts wrong and denied that the personal details were still viewable yesterday."

    I think the history and cache on my work PC will beg to differ...

  9. Pascal Monett Silver badge

    Lime Pictures takes identity fraud and data protection "very, very, very seriously"

    There's obviously a "very" or ten missing from that sentence. In any case, Lime Pictures is _going_ to take things seriously when they find out that applicants are getting rarer than hen's teeth.

    I can accept that web applications and security are two things that are difficult to put together, but here we have a case where simply changing an ID included in the URL gives full details of another person.

    That, to me, fingers conceptual sloppiness as the culprit, and there's no excuse for it. It should have been caught from the start by any developer worth his salt.

    Or has the new generation forgotten that a URL is by definition insecure ? That the first thing a hacker (even a whitehat one) will try is to change the URL parameters and see what happens ?

    Well this is what happens, you display confidential data all over the Internet. Then Google caches it. Then it is visible even when you've taken it offline (which is the primary function of GoogleCache, and has already been a total nuisance for a lot of companies with something they regretted having posted after).

    Welcome to the Internet, Lime Pictures. It's time to wake up and smell the burnt toast.

  10. Graham Jordan

    Address details ey?

    If anyone finds Gemma Atkinsons details pass them on, be a sport.

  11. Conrad

    The sequential ID hack is so old

    If I remember rightly it was a website for a large corporate allowing customers to update their details. I think they were selling PC hardware of some sort, printers or something.

    But nearly 5 years down the line, have web-backend developers not been made aware of this simple hack by now, simplicity when it comes to data is always your enemy. A pity this is job-applicant data, that kind of stuff is always super-sensitive. I mean if someone helps themselves to your credit-card that's one thing,... pity this makes so many look bad now.

This topic is closed for new posts.