Sophos Cloud Optix
The home addresses and personal email details of some 38,000 participants in Sunday’s London Marathon were exposed for anyone to access on the race’s official website, according to a BBC News report.
According to reports, the private information was free for anyone to access in the section of the website which allowed runners to order commemorative medals.
Celebrities who took part in the race – and whose personal details were presumably available for anyone to access – include celebrity chef Gordon Ramsay, Shadow chancellor Ed Balls, pop singer Will Young, newsreader Sophie Raworth, and stars of TV shows such as Coronation Street and The Only Way is Essex.
A member of the public stumbled across the problem, who then contacted the BBC. The BBC appears to have acted responsibly, informing the London Marathon organiser’s about the problem on Monday evening.
Nick Bitel, chief executive of the London Marathon, apologised for the security lapse, and said that action was taken immediately to correct the problem.
“We do not believe that this has led to a substantial number of individuals’ details being accessed by members of the public,” Bitel told the BBC.
Nevertheless, questions will be asked as to how the goof could have been allowed to happen.
High profile incidents like this reinforce the need for all website developers to build sites with security in mind. The data you collect about individuals must be secured appropriately – otherwise it could be your organisation making the headlines next time.
The majority of people who take part in the London Marathon do so with the fantastic purpose of raising money for charity – the last thing they deserve is to find their personal information exposed by sloppy security by the organisers.
London Marathon runners image, from ShutterStock
I'm sure Chef Ramsay was tickled to hear this. I didn't access this site, so don't know the details such as just enter a name and get the information? Anyway this is some thing that many web designers do not even thinking about the results. This can also occur in some OS's that dump the memory contents when a fault occurs, although this has happened less lately it still happens and anyone who can read a dump (computer that is) can pull personal information out of it.
Stories like this make me increasingly hesitant to give any information to websites without understanding something about their security measures. The problem is that, although I'm not exactly clueless on the subject of security, neither am I in any sense an expert. Most of what I know about it is stuff I've picked up through my own reading, much of it by reading NakedSecurity.
That's a problem that the security industry must surely be aware of — namely, the fact that even a security-conscious user has no easy way to assess the security practices of any given site. Sure, I can look for a VeriSign, WebTrust, or similar logo, I can check the Certification Authority and other credentials presented by the site, and I can ensure that I don't send any sensitive data via an unencrypted connection, but that doesn't tell me anything about how the data are going to be handled by the site after they receive it.
It would be great if there were some standardized "Best Security Practices" — some kind of certification or set of standards to which data collectors could voluntarily subscribe…for example something like the security equivalent of the W3C standards for HTML, CSS, XHTML,…etc. If there is such a thing, I'm not aware of it.