Parcelforce blunder blamed on inadequate auditing

Parcelforce’s recent leak of customer records has been blamed on inadequate security testing of the delivery firm’s website.

The BBC last week revealed that Parcelforce’s customers entering their parcel tracking number online were given access to the delivery details of other customers, including names, addresses, and postcodes.

The leak put Parcelforce at risk of breaching data protection laws.

Fortify Software, an application vulnerability specialist, said the leak was most likely caused by insufficient auditing when the website was being programmed.

“From what has been reported by the BBC and others, this sounds like a scripting issue with the site concerned,” said Richard Kirk, Fortify’s European director.

Kirk believes the Parcelforce site was created by in-house developers, who may have lacked the facility of looking at the code from an audit perspective.

He added that the issue with the site will “almost certainly” be solved with an audit.

“It is to be hoped that, as well as Parcelforce learning from this situation, that other companies realise it could be their own IT team involved in the corporate red face stakes and review their own web sites as well,” Kirk said.

“Only by efficient code auditing can major errors like this be avoided.”

Parcelforce said the error on its site has been rectified, although the Information Commissioner’s Office (ICO) may still investigate.

“We will be contacting Parcelforce to establish how this security breach occurred and to find out what steps it will be taking to ensure that such a breach cannot happen again,” an ICO spokeswoman said.

Story link: Parcelforce blunder blamed on inadequate auditing