Unencrypted emails could breach Data Protection Act
Network IT Week, 31 Oct 2001
Ryanair has admitted that its online recruitment website has a serious security flaw which exposes job seekers' details to the eyes of crackers.
Sensitive personal information, such as credit card details, health records and career history, is collected by the unsecured site and sent in unencrypted email to the company's back office.
The flaw potentially breaches the Data Protection Act, which came into force last week. Chris McAlpine, of the Information Commissioner's Office, said: "The transfer has to be secure, especially for sensitive data."
Phil Robinson, managing consultant at Information Risk Management, pointed out that the inclusion of credit card details made the vulnerability "very serious". Unlike personal data, credit card details can easily be turned into money.
The only way a pilot can apply for a job at Ryanair is via the internet. The recruitment data contains credit card information because Ryanair refuses to consider applications unless a £50 fee is paid.
Embarrassingly for the airline, this vulnerability is easy and cheap to avoid. Secure socket layer (SSL) security, the encryption feature in the software, should be switched on and the company then has only to spend a few hundred pounds on a digital certificate to ensure that data is sent to the correct party instead of to a rogue server.
"Securing a site through SSL is usually a very simple job," said Robinson. "Without it, a network sniffer can pick up unsecured data passing through a cable modem or the local site of the internet service provider. Or someone can spoof Ryanair's domain name and set up a rogue server to receive data from an imitated site."
Michael O'Leary, chief executive at Ryanair, admitted the security blunder to the BBC last week, and promised that the leak would be fixed by this week. Ryanair has since refused to comment on the situation, although O'Leary maintained that it had not deterred job applicants from using the site.
Ryanair's recruitment site states explicitly that applicants' information will remain confidential. "That is clearly incorrect," said Robinson. "The way the data is submitted is totally unconfidential."
On 24 October, the Data Protection Act of 1998 comes into effect for most businesses in the UK. Does your organisation measure up?
High Street giant Marks & Spencer has been forced to tighten its procedures for dealing with its charge card holders after learning it had been acting in breach of the Data Protection Act for almost 15 years.
Critics fear that the 1998 Data Protection Act will be as toothless as its predecessor.
First Looks Editor Ian Williams gets hands on with the Sony Ericsson Xperia X1
Do you agree?
Have your say on this article