ad info

 
CNN.com  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

TOP STORIES

More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

U.S.

POLITICS

LAW

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


Glitch temporarily exposes some Buy.com customer data

Computerworld

(IDG) -- Online retailer Buy.com Inc. and United Parcel Service of America Inc. Friday confirmed that a glitch in a new product-returns system used by Buy.com's Web site exposed the names, addresses and telephone numbers of some of its customers to other Internet users.

In a statement, Aliso Viejo, Calif.-based Buy.com said it and UPS "have implemented a technical solution concerning the online returns process" after learning that information about a "small number" of customers was briefly viewable on electronic shipping labels provided by UPS as part of a service announced last month (see "UPS launches online returns service," link below).

  MESSAGE BOARD
 

Buy.com is the first Internet-based retailer to use the online returns service, which provides online shoppers with on-screen labels that they can print out and attach to the packages they wish to return. A Buy.com spokeswoman said the company would have no further comment on the glitch with the servers that run the UPS service.

But Steve Holmes, a spokesman for Atlanta-based UPS, said credit-card numbers and other personal financial data collected from Buy.com customers as part of online transactions weren't exposed to other users. "Basically, it was just what's contained in a phone book," Holmes said, although he added that UPS isn't trying to downplay the seriousness of the security hole in its servers.

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Computerworld's home page
  Congress delays Net-privacy legislation until 2001
  How do you make online-privacy policies stick?
  What does it take to secure your systems?
  Reviews & in-depth info at IDG.net
  E-BusinessWorld
  TechInformer
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

The problem occurred when a customer was returning some merchandise purchased from Buy.com, Holmes said. When a user fills out the return shipping label, the UPS system automatically generates a Web page containing the label. By changing one number in the URL of such a page, Holmes said, the customer who reported the problem was able to see the mailing information of other customers.

"Buy.com provides us the customer information, [which] we then provide back to them in the form of a shipping label," Holmes said. "The problem is they gave us that information in sequential order." Because of that, he added, it was easy for an outsider to figure out that he could view someone else's information simply by changing a single number in the URL.

However, Holmes noted that each label was saved as an image file and not as a data link, which he said made it impossible to create a software program that could automatically capture all the information.

Andrew Shen, a policy analyst at the Electronic Privacy Information Center in Washington, said Buy.com's first responsibility is to notify its customers about the security hole. "I think we're realizing that there is no such thing as perfect security," he said. "But the [issue] is how companies respond when they discover [a glitch]."

Shen added that some people have unlisted telephone numbers and don't want their information given out, especially via a medium such as the Internet.




RELATED STORIES:
TRUSTe learns a privacy lesson the hard way
August 29, 2000
Defunct Web site leaks credit card info
July 26, 2000
Buyer beware: Online retailers dropping like flies
July 21, 2000
New tool offers privacy without crippling browsing habits
March 21, 2000
Hooked on Net shopping
March 13, 2000

RELATED IDG.net STORIES:
UPS launches online returns service
(Computerworld)
How do you make online-privacy policies stick?
(InfoWorld)
Congress delays Net-privacy legislation until 2001
(InfoWorld)
Online security: Hype or complacency?
(CIO)
What does it take to secure your systems?
(InfoWorld)
Eve.com responds quickly to security hole
(Computerworld)
E-Bay, Amazon, Buy.com hit by attacks
(IDG.net)
EPIC criticizes first release of Carnivore data
(Computerworld)

RELATED SITES:
Buy.com Inc.
United Parcel Service of America, Inc.
Electronic Privacy Information Center

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.