Durex condom orders leak on web – customer (update 1)

Remember the Astroglide breach, when customers who ordered samples of the lubricant had their personal details exposed online? Now there are allegations that Durex condom orders were leaking on the web.

Last week, this site received a lead about a security problem involving the web site of a Durex product. On March 5, a customer reportedly discovered that anyone could view his and other customers’ orders on the kohinoorpassion.com web site by simply inserting a different order ID number in the url without any login required. Names, addresses, phone numbers, and type of products ordered were all there for ready viewing. The orders had not been placed on the kohninoorpassion.com web site, but on the Durex India e-store site. From what the customer could determine, the earliest order exposed online dated back to February 23, 2009, but there is no confirmation as to for how long the customer records might have been accessible without a login. According to the customer’s web site about the breach, no credit card or financial data were exposed.

The customer reported that he promptly contacted TTK-LIG (the marketer of the Durex brand in India and manufacturer of Kohinoor condoms) and SSL International (the owner of the Durex brand worldwide) about the problem and that by the next day, the site appeared to be better secured. But that wasn’t the end of the story, it seems. The customer created his own web site and FAQ about the breach and has been updating it since then. A review of the updates suggest that things took an ugly turn within a matter of weeks.

It started cordially enough. By email on March 6, TTK-LIG thanked the customer for alerting them to the problem, and indicated that they would be sending him a gift hamper by courier and SSL International also reportedly responded to the customer. Neither indicated that they would be notifying any customers of the exposure, however, which was less than satisfactory to the customer.

On March 18, the lawyers appeared. TTK-LIG’s attorneys allegedly sent a threat letter to the customer, reproduced here. It said, in part:

5. During their on-going investigations, our client discovered to their shock from their records that, between the time of intimation to our client on March 5, 2010 at around 1.40 pm India time and the subsequent remedial actions to provide full security to our client’s website on 5th March 2010 at around 11:40 pm India time, you have unauthorisedly downloaded 3,906 order details relating to 2,753 customers, who have transacted with our client through their e-store. You had no business or any authority to download and / or copy the personal information relating to other customers and deal with the same, in breach of the terms of the user of the said e-store or otherwise and you have breached the confidentiality of the other customers. Your action breaches the terms of the user of the said e-store. Such misuse of our client’s website constitutes, among others, an offence punishable under the Information Technology Act read with the provisions of Indian Penal Code.

6. We on behalf of our client state that the civil and criminal wrong already committed by you under the pretext of discovering a so-called ‘data breach’ in our client’s websites, has stood aggravated by your further acts which include the following:

i. Creation of a website which has the effect of falsely instilling a sense of alarm in the minds of our client’s customers and posting various comments therein;

ii. Contacting various customers of our client on the basis of information unauthorisedly extracted by you from our client’s website and thereby inter-alia infringing their privacy. In this regard, our client wishes to add that at least five customers have written to our client in this matter after being alerted by an email generated from the email address [email protected]

[…]

The letter concluded with the typical lawyerly demands.

On March 19, the customer says that he replied, in part:

5. Kindly note that unless you are either able to appropriately substantiate your allegations or I receive a full retraction of all allegations made against me in your note and an unconditional apology from your client within 24 hours of your receipt of this letter via email or at any rate by 10 am on March 21, 2010, I fully intend to (i) commence legal proceedings against your client for serious breach of my privacy and gross negligence with data received in connection with a purchase I made from your client of an intensely personal nature, and (ii) to widely publicise the contents of your legal notice and related information in my possession in the public interest and exercising my rights to protected free speech.

Both the lawyers’ deadline and the customer’s deadline came and went. E-mail inquiries sent to both TTK-LIG and SSL International on Saturday were not answered by the time of this publication.

Update 1: I subsequently received this statement from TTK-LIG:

SSL can confirm that limited transactional details could have been accessible on our Indian website for a restricted time window. These details did not include credit card or other financial information which remain secure at all times.

SSL and TTK-LIG takes data security extremely seriously and we have identified the cause and taken immediate remedial action. The modifications put in place ensure that unauthorized access cannot happen again.

We are completely confident that the website is now fully secure and would like to apologise to all our customers for any inconvenience they may have experienced.

The websites concerned now include an overview of the situation. Customers with any concerns about this should contact our helpline on 044-28115800.

There has been no new update to the customer’s web site about the incident, and it is not clear at the time of this update whether the customer is in possession of any other customers’ data.

About the author: Dissent