back to article Thomas Cook website spills personal info – and it's fine with that

Holidaymakers who used Thomas Cook Airlines had their personal information spilled onto the internet no thanks to basic coding cockups. Norwegian programmer Roy Solberg came across an enumeration bug that leaked the full name of all travelers on a booking, the email addresses used, and flight details from Thomas Cook Airlines …

Silver badge

So you have the option to report to the ICO and look like a good boy or not report and line yourself up for the top tier of fines for not doing so if the ICO disagrees with your risk assessment of the breach. Deciding whether to report or not is also a risk assessment, of course. Does the quality of assessment on whether to report indicate anything about the quality of assessment of the breach?

6
2
Reply
Silver badge

Well.....

Their incident reporting is obviously as late as their shitty charter flights.

12
2
Reply

This post has been deleted by its author

Silver badge

If they are struggling to report themselves, I’m sure there a few competent people on here that can do it for them.

4
2
Reply
Anonymous Coward

Good God

Is Graham Clueless still around?

3
5
Reply
Anonymous Coward

stop telling us how serious you are!

We'll judge how seriously you take passenger data based on your actions, like everyone else.

"we take ... blah blah blah" ... well done, your PR dept googled the standard response. F**k off, none of you largish companies give a sh*t

12
2
Reply
Bronze badge
Unhappy

Re: stop telling us how serious you are!

Yeah, that's canned incident response template number 1.

Yeah, I'm sick of hearing it too, and sadly it'll never stop.

0
0
Reply
Silver badge
Unhappy

Strange spin

Our tame examiners only exposed a few people's details, so we are certain no crims did any better.

O really?

4
1
Reply
Facepalm

GDPR requires reporting of data leak except when it doesn't :]

"the controller shall .. notify the personal data breach to the supervisory authority .. unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."

So, no sanctions for such leaks and no requirement to report such leaks to the leaked-on. The only practical effect I've seen is multiple click-boxes on websites and some US websites blocking access in Europe.

0
8
Reply
Silver badge

Interesting defense

Based upon the evidence we have, and the limited volume and nature of the data that was accessed,

So they are saying that they have so few customers using that site that it doesn't matter?

4
1
Reply

re: Spies Denmark

For a second I was wondering what the local Google affiliate was doing in a list of travel agencies.

1
1
Reply
Bronze badge

What a bunch of $$$7

In good faith, I believe the company should publish the names and PERSONAL emails of all company board members and those holding the position of VP and above.

If they will do this, then I'll go along with them saying this is a LOW vulnerability... but you know they will never do this.

3
1
Reply
Silver badge

"After being alerted to this unauthorised access"

Except it wasn't an unauthorised access. The system was doing exactly what it was designed to do.

What they have there is an unauthorised disclosure. They had a duty of care regarding that data and they left it on a window sill where anyone could take a gander.

0
0
Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018