Sunday, October 03, 2004

Firms still failing online security test

September 30, 2004
The credit card mix-up on Sainsbury's online shopping website this week that allowed a customer to view someone else's credit card details in her account highlights some issues around how to handle a security problem when it's discovered.

In Sainsbury's case, the customer had to wait almost two days before getting a response to her initial email reporting the problem, which had the subject line "URGENT: System Bug - Someone else's credit card details stored in my account".

Later the retailer insisted it had been investigating the problem as soon as it received the report but the customer was sufficiently un-reassured as to contact about it, out of the genuine worry that it may not be an isolated incident and that other customers could have been affected.

When the response finally came it then did reassure the customer that it was a one-off caused by a "corruption" of her account, followed by some confusing technical jargon.

Just as that seemed to be the end of it, finally got an explanation from the Sainsbury's press office (after chasing it for over a day), which now claimed it was "human error" by a customer service representative that had caused it.

A further request to clarify what exactly the cause of the credit card mix-up was has still gone unanswered as has our question about whether Sainsbury's has contacted the customer whose card details were compromised by the error.

In the end this may well just be an isolated incident caused by a careless customer services person but Sainsbury's actions to date have hardly been reassuring and serve as something of a lesson on how not to handle the publicity around a potential website security hole.

We felt the need to publicise this incident because it shows how failing to deal with reports of security problems adequately and being transparent about them can compromise the trust of customers - trust which is vital to doing business online. It's a brave business that gambles on that.

Copyright © 2003 CNET Networks, Inc. All Rights Reserved. is a registered service mark of CNET Networks, Inc. Logo is a service mark of CNET NETWORKS, Inc.