Credit card details exposed by website

Details of thousands of credit cards were left temporarily exposed on the internet by a UK video retailer after it upgraded its website 10 days ago.

An investigation by vnunet.com's sister title Computeractive, revealed that details from more than 11,500 customers held by Bensonsworld.co.uk could have been easily accessed, by altering the web address in a browser accessing its site.

The retailer, the website of 20-year-old London-based retailer Bensons, confirmed the problem and said it was taking precautions to prevent access to the data. It locked access to the website on Monday afternoon by password protecting it.

Through making a simple change to the URL shown in the web browser visitors could have accessed customer credit card details plus their full names, addresses, phone number and passwords. Passwords for customers MSN Hotmail accounts could also be viewed.

Ron Benson, managing director of Bensonsworld told vnunet.com that details could have been seen. "I'm very concerned that this could have happened. We've resolved the problem and are taking every possible precaution to ensure this doesn't happen again."

Benson said the problem arose after it changed the way its website was hosted. Wiss provides the company with bandwidth connectivity and server space in its Telehouse-based facility. Ten days ago, Bensonsworld switched from a server shared with other sites to a dedicated server.

David Wiss, managing director of Benson's supplier, said: "Once Bensons switched to a dedicated server, security of their website became their responsibility. We provide hardware, software and connectivity we do not pretend to be security consultants."

Matt Tomlinson, business development director at MIS Corporate Defence Solutions, said: "That's a massive security problem. If you're going to have a web presence, you must keep your customer details in a separate area of your network from your web pages. At the very least, they should be in a demilitarised zone [separate area off the firewall] and have a separate level of security."

The security fix, however, came too late to save the website being suspended from comparison shopping website Shopsmart.