Customer Invoices of Office Supply Company Available in Unsecured Form Online

Incident Summary #8

Incident

Two individuals were customers of an office supply company. They reported to our Office that they were able to access the electronic invoices of other clients from the company’s web site by simply altering a series of four digits found on the web address of their own invoices.

After the customers raised their concerns, the company’s chosen means of breach notification was to post its response to customers' concerns on a third-party web forum. Our Office advocated for a more effective notification in the future, as well as the designation of a privacy officer.

Outcome

Once aware of the incident and after discussions with our Office, the company took several steps to mitigate the likelihood of a recurrence, including: (i) no longer transmitting invoices by general emails (instead a secure login procedure is now required for customers in order to access such invoices); (ii) a random and uniquely-generated code will link to all electronic invoices; (iii) new, enhanced testing procedures to evaluate all online functions; and (iv) the appointment of a privacy officer to monitor and approve all utilization of user data.

Final Comment

Despite the root cause of this incident being technological in nature, many organizational shortcomings were apparent that may have ultimately contributed to the occurrence of this incident. The lack of oversight by a dedicated Privacy Officer holding an understanding of the organization’s personal information handling practices may have contributed.  In addition, the organization’s lack of awareness with respect to the process of notification to affected individuals served as an obstacle to adequately mitigating risk to individuals resulting from the breach. In response to this incident and at our urging, broader non-technological measures were taken by the organization to address the breach’s cause.