Karin Spaink summarizes and translates two more breaches:
Private data of people who have received a building license in Groningen, is visible via the city’s website. (One needs to apply for such a license when expanding one’s house or building an addendum to it.) Data disclosed are names, addresses, bank numbers, signatures and telephone numbers. In April of this year, the city removed the general index to all approved licenses when warned that it was thus leaking data, and considered the matter done. As it turns out, simply by increasing or decreasing the file number in a url.
response: None, as of yet..
references: Oog.tv, July 13, 2010
Tour operator leaks bookings
Dutch tour operator Corendon gives people who’ve booked via their site a client number and a booking number. Turns out that these are handed out sequentially, so by just increasing or decreasing the number in the query, one can see other people’s data. Visible were: destination, date of departure, return date, flight information, amount paid, amout left to be paid, plus information about all people booked: names, addresses, telephone number, date of birth.
response: Jeroen van der Gun discovered the leak and warned Corendon on June 28. On July 7, Corendon changed the login-procedure for clients, who now also have to enter an e-mail addreess to see their booking.