The Consumers' Association (CA) should be thrown out of its own Which? Web Trader internet shopping assurance scheme after it allowed the credit card details of 2700 customers to be published online, according to a leading security expert.
The CA has now closed down its TaxCalc website, which is run by a third party, amid concerns that the details of thousands of credit cards could have been stolen.
The 2700 people who bought the Which? tax calculation software have been advised to cancel their credit cards after the security loophole was reported by The Times.
Kim Lavely, deputy director of the CA, admitted: "This is a serious flaw in the security of the TaxCalc website and we're very concerned about it. As soon as we were made aware of the flaw we removed all personal and financial details from the site. We have already commissioned an independent security expert to conduct a thorough audit of the security of the site."
However, the CA was unable to say whether the website had been audited before, or provide a detailed explanation of their security audit policy before time of publication.
Security analysts contacted by vnunet.com were astonished at the lax security.
Mark Read, network security analyst at MIS Corporate Defence Solutions, told vnunet.com: "This is not an example of a website being cracked; the files were readily available on the server. This is so blatantly stupid it really is quite shocking."
"The CA's own Web Trader scheme says that credit card details should be held securely. They should kick themselves out of Web Trader until they complete their security audits," he added.
Web Trader is "provided by Which? Online to guide you to secure websites where you can shop with confidence", according to information on the organisation's website.
The CA has set up a freephone number (0800 920 150) for TaxCalc purchasers.
You can read the Which? Web Trader code of practice here.
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches