Help Wanted: Steal This Database

Sharing is caring!

Hack-proofing a website is hard enough. But the task becomes
gargantuan when you accidentally publish the administrator’s password
on one of your site’s most heavily trafficked pages.

Such a security gaffe may have enabled unauthorized visitors to log in
and access files undetected for more than six months on a server
operated by Carmichael Lynch, a public relations and advertising firm
with several big-name clients. The admin password was inadvertently
published on a page that contained online job postings.

Among the files potentially exposed to outsiders: internal documents,
including customer databases owned by two of the company’s biggest
clients, Porsche and American Standard.

Experts said the incident is the latest example of how shoddy security
can undermine companies’ privacy promises.

Carmichael Lynch removed the posting that contained the admin password
from its site last week. Contained in the help wanted ad, cached here,
were hyperlinks that included a user name and password that human
resources employees used to upload job listings.

Before the problem was corrected, any Internet user could have
accessed files on Carmichael Lynch’s server simply by modifying the
address in the link.

Carmichael Lynch spokeswoman Sara Mulder said the company has no
evidence that unauthorized visitors took advantage of the security

Mulder said the firm’s HR team was using Microsoft’s FrontPage Web
publishing software to post job listings, and the program embedded
“unwanted code, creating that loophole.”

An Internet user who asked not to be identified said he discovered the
problem last June and notified Carmichael Lynch. The user said he
decided to go public with the information after the PR company failed
to plug the hole.

Mulder confirmed that Carmichael Lynch learned last June that its
job-posting process contained a security flaw, but she said the
company thought at the time that it had resolved the problem.

Among the files accessible on the server last week was a 13.5-MB
database containing names, addresses, vehicle information and other
data on nearly 75,000 luxury car and SUV owners.

According to Mulder, Porsche owned the database, which was dated Oct.
20, 2002. But the file’s Properties tab indicated the database was
created by Acxiom, a provider of customer-information tools and

Officials from Porsche Cars North America and Acxiom had no immediate
comment on the incident.

Carmichael Lynch’s security flub also exposed a 7-MB spreadsheet that
contained contact information, including e-mail addresses and
registration passwords, for nearly 12,000 people who had registered
with the American Standard website between April 30 and Sept. 10,

A pop-up window greets first-time visitors to the plumbing supply site
and encourages them to register for access to “site extras” such as a
“wish list” and a preferred dealer locator.

It was not immediately clear why Carmichael Lynch was storing clients’
customer info databases on its public Web server. Such a practice is
dangerous but common among site administrators who are not “security
savvy,” said Harlan Carvey, a security engineer for a financial
services company.

Privacy policies posted on the websites of Porsche, American Standard
and Acxiom state that the companies take “reasonable precautions” to
protect customers’ personal information in their possession. Mulder
said she does not believe Carmichael Lynch has a privacy policy.

Mark Litchfield, co-founder of NGSConsulting, said privacy policies
are often not backed up by strong security practices. Instead, such
statements are merely “jargon” aimed at giving customers “a warm
feeling in parting with their credit card and other associated
sensitive material.”

Privacy expert Richard Smith agreed, and said Carmichael Lynch’s
security practices “don’t live up to the promises being made in their
clients’ privacy policies.”

To prevent such lapses in the future, Mulder said Carmichael Lynch has
“isolated all such data to ensure its security on limited-access

Such data spills can be costly to corporations that fail to follow
standard practices for protecting customer data. Last August,
Ziff-Davis Publishing agreed to pay affected customers $500 each after
lax security exposed the personal data of thousands of subscribers.

ISN is currently hosted by

To unsubscribe email with ‘unsubscribe isn’
in the BODY of the mail.