How Toshiba dropped the ball and leaked my personal details on the internet (and those of 1,800+ others).

I bought a new Toshiba laptop last week. As part of this purchase I also got the opportunity to participate in Toshiba’s Rugby World Cup Competition whereby every point that Toby Flood scores earns me a £1 cash rebate.

We duly filled out the online form to enter the competition. On submission, we got an email containing a link to a Certificate of Registration.

toshibaregistrations.com/rugbyworldcup/Certificates/TOSH1500.pdf

The 1500 number in the URL seemed to be a simple incrementing integer. So we modified the URL by one digit to:

toshibaregistrations.com/rugbyworldcup/Certificates/TOSH1501.pdf

Instantly, the certificate (and personal details) from another customer came up.

This meant that, in a matter of minutes, I could have downloaded ever single one of the 1,850+ entries in Toshiba’s competition.

Immediately we contacted Toshiba about this data breach. And I’m only blogging about this now, because I didn’t want to publicise the security lapse. Toshiba have now acted and remove the PDFs.

However, now that the problem has been fixed, I feel that Toshiba’s relaxed stanch on data protection should be exposed.

What we don’t know

Why Toshiba needed such personal data for this competition? e.g. - name, home address, date of birth, telephone number, model and serial number of laptop.
Whether Toshiba will:
- contact the customers affected and offer any compensation,
- contact the Information Commissioner’s Office to report this breach, or
- be able to tell whether customer data has been accessed by third parties.

Posted 8 months ago

Dillonworld

How Toshiba dropped the ball and leaked my personal details on the internet (and those of 1,800+ others).

What we don’t know

Pages

Likes