Durex leak reveals customer details

A website selling Durex condoms in India suffered a data breach that revealed customers' names and orders.

Databreaches.net reported that on March 5, a customer reportedly discovered that anyone could view his and other customers' orders on the kohinoorpassion.com website by simply inserting a different order ID number in the URL without any login required.

Available information included names, addresses, phone numbers and the type of products ordered. The earliest order exposed online dated back to February 2009, though there is no confirmation as to for how long the customer records might have been accessible without a login. According to the customer's website about the breach, no credit card or financial data were exposed.

The customer said that he contacted TTK-LIG, the marketer of the Durex brand in India and manufacturer of Kohinoor condoms, and SSL International, the owner of the Durex brand worldwide, about the problem and that by the next day, the site appeared to be better secured.

The customer kept a blog of the incident and subsequent legal dealings with TTK-LIG's lawyers. This can be viewed here.

Amichai Shulman, CTO of Imperva, claimed that victims of data breaches need to look beyond basic vulnerabilities such as SQL injections.

He said: “It is always amazing that companies don't think their site defences will be probed by increasingly sophisticated hackers, let alone inquisitive internet users.

“The fall-out from this saga is that the company has now been severely embarrassed internationally, and that's before any legal or regulatory action is involved. Companies need to wake up and smell the coffee when it comes to website security. A failure to make a modest investment at the development and implementation stages can result in considerably more cost - and damage to reputation - in the longer term."

See original article on scmagazineus.com