cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer I

What do you do when a private company ignores the data leakage reported to them?

I discovered a data leakage vulnerability on a website that leaking PII of their customers. I reported this to their service desk and one of the owners of the company. I was told to remove them from any future emails otherwise I would be reported for Spamming. I contacted them again clarifying that they had a data leakage problem and screenshot the example on their website. I said I am freely sharing this information with them and wanted to communicate with someone that can fix the problem.

 

Nothing by crickets, with them still leaking this data.

 

It's not a big company but they are leaking about 3000 of their customers PII and some internal confidential information. If someone dug deeper into the unsecured API I am sure they would find even more data.

 

What would be your next step?

2 Replies
Contributor III

Re: What do you do when a private company ignores the data leakage reported to them?

If it were in the UK you could report them to the data protection regulator; the ICO.  The ICO could then threaten them with enforcement action unless they addressed the vulnerability.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Community Champion

Re: What do you do when a private company ignores the data leakage reported to them?

> litwin (Newcomer I) posted a new topic in Welcome on 07-04-2019 06:06 PM

 

> I discovered a data leakage vulnerability on a website that
> leaking PII of their customers. I reported this to their service desk and one of
> the owners of the company. I was told to remove them from any future emails
> otherwise I would be reported for Spamming. I contacted them again clarifying
> that they had a data leakage problem and screenshot the example on their
> website. I said I am freely sharing this information with them and wanted to
> communicate with someone that can fix the problem.   Nothing by crickets, with
> them still leaking this data.

 

OK, be really careful. These guys obviously don't care about anything so much as their "brand." You are now the threat, as they perceive it. And, unfortunately, they can make lots of trouble for you.

 

>   It's not a big company but they are leaking
> about 3000 of their customers PII and some internal confidential information. If
> someone dug deeper into the unsecured API I am sure they would find even more
> data.   What would be your next step?

 

You might want to talk to some of the security research outfits, who know how to do this. If pursuing it yourself, get some legal help first. (EFF might be a good place to start.)

 

Even though it goes against the grain, and you are only trying to help others, it may be that your best course is simply to walk away.

 

If not, having tried to alert the company and been rebuffed (I'd keep all correspondence on that score) you might simply write up the problem and publish it. But, even that could get you into legal trouble if they decide to sue ...

 

(All of this assumes that you reside in the Litigious States of America.)


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468