In early July of this year we made the decision to enroll my oldest daughter into an early education program designed to "... enable your baby, toddler, and pre-school aged child to explore, develop, practice and refine skills essential for healthy neurological development." In the process of enrollment I discovered a breach in the company website security that exposed personal (and often confidential medical issues) of all their clients. The infraction not only exposes all my personal details but also those of my daughter - the latter being inexcusable.
While I'll refrain from noting the specific security exploits (and there were numerous), and while I'll avoid naming-and-shaming, the situation I found myself in deserves to be shared as an example of a company operating in breach of multiple sections of the (Australian) Privacy Act, 1988. The issue also serves as an example of a company simply not fulfilling the most basic of consumer security expectations (particularly since the personal details of children are involved). Because the breach is exposed by means of a transactional nature, both the web development company that originally built the system and the individual that inherited the system should accept a certain portion of blame. However, once the parent company is aware of their system's vulnerabilities, they need to take ownership of the breach and ensure the system is closed until the problem is resolved... yet I didn't see my advice translate into any kind of urgency. In fact, the CEO's response in one email appeared to indicate that their commercial needs outweighed any privacy violation.
It's only now, a week after my first contact - and a dozen emails later (on each occasion offering to remedy the problem at no charge) - that I've seen the developer implement a very dodgy fix to only the most obvious problem. Additional vulnerabilities exist but they require greater technical proficiency to expose than what might be considered "basic" skills... and certainly outside the scope of the current web developer's knowledge. That said, vulnerabilities still exist and I've lost any and all confidence in the current custodian of the company IT architecture.
I couldn't have been more forward in highlighting the backwards nature of their product. If I could easily hack tens of thousands of records detailing very personal family details - including those of toddlers and infants - anybody could. While I refrained from playing the furious parent when dealing with this business, and while I approached the CEO's "apparent" callous approach infuriating (talks only yesterday suggested this wasn't necessarily the case), I maintained composure because I was more interested in implementing a fix and having their database (with my personal details) secured. I've never dealt with a company that outwardly appeared to treat their customers' personal records with such an unadulterated contempt.
My discussions with the developer regarding the new system highlighted a clear knowledge deficiency that indicated she was well and truly manufacturing something well beyond her (very limited) skill set. Despite having a new system that was in circulation for franchises to test for usability, there was an expectation that I would build a temporary system in a couple of days rather than simply release something that took her nearly a year.
My point is this: you get what you pay for. I don't think some businesses with very specific feature requests understand the enormous difference between somebody that builds a simple website, and a company that builds feature-rich and secured content management systems. The former group of web practitioners tend to undercharge, under-deliver, and serve uninspired and insecure applications without regard to a sensible time-frame.
The Privacy Act (1988) is very clear on the obligations some companies have in regard to how they collect, store, and treat personal information. Schedule 1 of the Act determines how a business must "handle, use and manage personal information". Failing to comply gives consumers the opportunity to make a complaint to the Office of the Australian Information Commissioner (OAIC) which can often translate to non-economic compensation via determinations made when conciliation has not resolved the matter. As it stands, with existing security exploits still on the web system, and with the company having full knowledge that their data is or was compromised, each of their customers is entitled to make a complaint. The issue however, is that other parents don't know about the problem (yet) - and they may never find out.
I queried 44,949 personal records (after making about 500,000 queries to their website). If each of those individuals with compromised personal data was to receive the below-average compensation of, say, $2000, for their information made available, the company would be liable for nearly 90 million dollars. Enough to destroy the business multiple times over.
I'm now aware of various security risks and the absolute worst-practice methods that this business uses to collect and disseminate personal information... but I'm also just a concerned parent that has made an attempt to bring various deficiencies to the attention of the CEO. While server access hasn't been made available to me I'm still, in a sense, an unpaid consultant that is now complicit in their non-compliance. After legal advice yesterday morning I was advised to make an immediate complaint to the OAIC (since it took nearly a week before details were removed). However, the latter action is something we want to avoid because, well, this is a place my daughter now attends. See my dilemma?
After a full week of making ongoing attempts to get in touch with the CEO, I spoke to him yesterday afternoon. I've advised in the strongest tone possible that they need to seek out professional web development (not me - I'd never undermine another developer for financial gain). Their current administrator - while passionate and probably competent enough to build a simple website - is well and truly out of her depth. Keeping her on contract after a breach of this significance, and after learning of her inability to satisfactorily ensure future security, would be inexcusable.
Need More Information
The security issue, while it affects parents all over Australia, contains a significant number of those from Sydney and surrounding regions. If you have your child enrolled in a program and you're interested in learning if you might be affected, please get in touch with us.