E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Database flub reveals addresses

Source: Toronto Star

Posted on September 8, 2000

      These days, Ikea is Swedish for giving the world the names of its customers. The names, addresses, phone numbers and e-mail addresses of 144,229 North Americans sat exposed on the company's Web site earlier this week.

      But whether it was a malicious attack or a security shortfall depends on whom you talk to.Dan Huddle, chief technology officer at Internet publisher Xanga.com, said he discovered the information when he visited the Ikea site to order the company's catalogue Monday morning. After submitting his contact information, an error message appeared.

      According to the message, a database file at a specific location, or path, had received too much information and overflowed.

      That was the Huddle's first clue that something wasn't right. On a secure site, an error message with specific information about the location of the database wouldn't appear on an outside user's screen. It would be sent to the person who maintains the site.

      Huddle quickly realized the location listed in the error message could probably be accessed by anyone.

      "I was just in disbelief," said Huddle. "Normally you would put a file like that in a directory that the public couldn't access, but Ikea didn't do that. So I went right to the file and downloaded it."

      Huddle found the names, addresses, phone numbers and e-mail addresses for the 144,266 Canadians and Americans who had requested the Ikea catalogue over the long weekend.

      Rich D'Amico, new business development manager for Ikea North America, said his team was still analyzing the data, but the number of names revealed was easily in the tens of thousands, a typical number of requests for a three-day period. Along with legitimate names and numbers, D'Amico said much of the database content was "repeated information" that might indicate someone had intentionally tried to flood the database with bogus requests.

      "Some time around 8 o'clock Friday night, the Ikea catalogue request database was barraged with hundreds of requests for the catalogue. Then an individual broke through the security measures," D'Amico said. "That individual tried to download the database file."

      Huddle said that while 80 per cent of the requests he saw were submitted before the weekend, the data all looked "pretty normal." He thinks that what happened was simply a matter of lax security and that over the long weekend no one was around to monitor the Web site, so the database just overflowed.

      "Normally, the file is emptied every two days. But there was three days' worth because of the holiday weekend," D'Amico said. The catalogue request portion of the Ikea Web site is maintained by a third-party company he refused to name.

      "The way we feel about it is, we set it up, we have this partner and we take responsibility," he said. "Ikea uses the highest of levels of security based on the type of work that we're doing. Customer information is not encrypted because we don't do e-commerce or have credit card numbers."

      Encryption technology scrambles customer information into an unreadable code decipherable only by those maintaining the Web site.

      Ikea representatives have yet to contact Huddle and said he may have just been caught in the middle of the mess.

      "We thought we had this very safe, secure situation with the highest level of protection, and then we found out we didn't. What we need to do now is rethink the whole thing and figure out how we are going to protect our consumers at the highest level possible," D'Amico said.

      "That's why we are not going to put this live database live again until we figure that out."

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.