PSA: More privacy fail

Mar. 17th, 2011 12:45 pm
liv: cast iron sign showing etiolated couple drinking tea together (argument)
[personal profile] liv
I'm registered as a potential bone marrow donor with the Anthony Nolan charity. They appear to have decided that a good way of keeping everybody's details up-to-date is to create websites for all the donors on their register, with URLs of the form www.[firstnamesurname].mydetails.org. When I went to this web-page, I was asked to input my date of birth and when I did so was shown my full home address!

I have just written the following email to Anthony Nolan:
Dear Anthony Nolan Trust,

I am registered as a bone marrow donor with the Anthony Nolan Trust. Today I received a post-card asking me to log in to a website at [fullname].mydetails.org. This website required me to input my date of birth and then gave me a page with my full home address. I do not find this to be at all appropriate! My date of birth is not secure information; I do not expect anyone on the internet to be able to access my full home address (and my status as a potential bone marrow donor, which is personal, medical information) based on knowing my name and date of birth.

I do appreciate the work that the Trust are doing, and I am happy to remain on the register. However, I would ask you to please remove this sensitive personal information from the internet. I have never granted permission to the Trust to publicize my address in this insecure manner, and I do not grant permission to you now to handle my data in this way. I am not willing to send you updated contact details until you have sorted out this serious security problem.

Regards,
[Full Name]
This probably won't affect as many people as the recent Etsy problem, but if you do happen to be on the bone marrow donors register, you might want to check up on this issue. Grr. I really assumed that people who maintain a national register for specifically medical purposes would be at least vaguely competent about confidentiality!
  • Moooooood pissed off
  • Whereaboooouts ST4 6QR
  • Tuuuuuune Modernaire: Faites tes jeux
Tags:
Flat | Top-Level Comments Only

(no subject)

Date: 2011-03-17 02:01 pm (UTC)
rmc28: Rachel in hockey gear on the frozen fen at Upware, near Cambridge (Default)
From: [personal profile] rmc28
I tried my own firstnamesurname.mydetails.org and got sent to firstnamesurname-mydetails.securepurl.co.uk/noguest.aspx

"Sorry, no guests are allowed to view this site"

This is the case for both versions of my surname.

(no subject)

Date: 2011-03-17 02:16 pm (UTC)
lethargic_man: (reflect)
From: [personal profile] lethargic_man
And I got informed my date of birth was wrong. (It hasn't changed, since the last time I checked.)

Actually, I didn't get the postcard you refer to at all, though it may currently be being forwarded from my parents'.

(no subject)

Date: 2011-03-17 02:40 pm (UTC)
liv: A woman with a long plait drinks a cup of tea (teapot)
From: [personal profile] liv
Yeah, they have me listed at my parents' address too, and it was the parents who forwarded me the postcard. I'm a bit unhappy about potentially medical information being sent in the form of a postcard, too, hardly confidential!

I wouldn't be surprised if your name is common enough that they have another person of the same name in their register. So when you attempted to access the site, it rejected you for having the wrong birthday.

(no subject)

Date: 2011-03-17 03:06 pm (UTC)
lethargic_man: (reflect)
From: [personal profile] lethargic_man
I thought so to, so I tried guessing variants with my middle initial and/or middle name, but neither of those worked.

(no subject)

Date: 2011-03-17 02:37 pm (UTC)
liv: cast iron sign showing etiolated couple drinking tea together (argument)
From: [personal profile] liv
I am mystified by how they figured out that I was a legitimate person allowed to view the site and not a guest, then. The only verification they asked for was my date of birth. They can't know anything about the computer I'm working from as I have never logged on to any Anthony Nolan sites from this computer or IP address before today.

As a matter of principle I don't think even the existence of my name on the bone marrow register should be findable by any random person on the internet, even if they can't actually get in to the site with my address details, mind you.

(no subject)

Date: 2011-03-17 04:40 pm (UTC)
rmc28: Rachel in hockey gear on the frozen fen at Upware, near Cambridge (Default)
From: [personal profile] rmc28
Perhaps only people who have been sent postcards? I haven't received one, though I should be on the register via the blood donor people.

(no subject)

Date: 2011-03-20 08:33 pm (UTC)
From: (Anonymous)
I completely agree, furthermore, you can merely extrapolate the names and modify the URL - e.g. joebloggs.mydetails.org and guess the date of birth and you are away. Horrendous. I too have emailed them asking my details to be removed from this ridculously insecure site.

(no subject)

Date: 2011-03-20 08:34 pm (UTC)
From: (Anonymous)
I have tried the names of a few people I know to be on the register, and they certainly exist. Often if your name is common you will be joebloggs1.mydetails.org or similar.
Flat | Top-Level Comments Only

Profile

liv: cartoon of me with long plait, teapot and purple outfit (Default)
Liv
Livre d'Or pages

Soundbite

Miscellaneous. Eclectic. Random. Perhaps markedly literate, or at least suffering from the compulsion to read any text that presents itself, including cereal boxes.

Page Summary

Active Entries

Top topics

December 2025

S M T W T F S
 123456
78910111213
14151617181920
21222324252627
282930 31   

Links

Expand Cut Tags

No cut tags

Subscription Filters

Top of page