Web security breach forces users to cancel cards

Thousands of people today discovered that their credit cards details and personal information had been made freely available on a Consumers' Association website.

The CA - publishers of Which? magazine - is contacting the 2,700 customers who purchased a self-assessment tax software programme from the organisation's website, TaxCalc.com, and urging them to cancel their credit cards.

The CA said that the site had been shut down "within seconds" of a call from a Times journalist yesterday, informing them of a serious breach of security on the TaxCalc site. It could not confirm the technical reason for the breach and said an independent security expert has been hired to conduct an immediate audit of the site.

The organisation did not know if customers would be offered compensation for possible fraud and the inconvenience of being forced to cancel their credit cards.

The CA's other e-commerce ventures were secure, it said.

A CA statement said: "We appreciate the concerns that the public has about shopping online, but other forms of using a credit card also carry a risk. We are still saying that you can shop online with confidence at the Which.net site."

Ironically, the CA set up the Which? web trader scheme in June 1999 to boost consumers' confidence in online transactions. Billed as "your link to safe online shopping", the scheme established a code of practice for UK-based websites to ensure that customers are treated fairly online.

Despite the security breach, the CA argued this morning that consumers should not lose faith in online shopping or the CA. A spokesman explained that the CA aimed to handle the situation in the best possible way for consumers, informing them immediately of the situation and shutting down the site.

"We have criticised people before when they have not acted swiftly to inform customers. We have gone out and stood as a consumers' champion. When incidents like this do occur, it is important to remove the site immediately," he said.

The CA is not the first company to suffer a humiliating breach of online security. Some previous offenders include:

• Amazon: hackers gained access to the names, addresses, credit card details and telephone numbers of 98,000 customers at one of Amazon's subsidiaries, Bibliofind.

• Barclays: forced to shut down its online banking service in July 2000 after several customers logging on suddenly found themselves staring at other people's confidential account details.

• Halifax: online share dealing shut down after a technical fault allowed some customers to buy and sell shares in random accounts in 1999.

• Moneyextra: a security loophole at this online finance site in May exposed a user's log in name and password. It meant that if a moneyextra customer accessed the service on a shared computer anyone who subsequently sat down at that computer would have access to their entire financial portfolio.

• Powergen: online payment site shut down after the debit card details and personal information of thousands of customers were left unsecured by the company. Powergen initially failed to inform those affected but later compensated its online customers ?50 each.

• Woolworths: site was shut down for two months after a customer discovered the credit card details and personal information of other Woolworth's customers on www.woolies.co.uk in August 2000.

Related articles
04.05.2001: Extra worry for money site
08.03.2001: Amazon in card security row
Ignore the scary tales about internet fraud. It's quite safe, honest
23.08.2000: Another blow to confidence in internet banking security
05.08.2000: Grounded by the fiasco in cyberspace
20.07.2000: Powergen leaks cash card data
07.04.2000: Net security broken at 60% of UK firms


Useful links
Which.net
Which? web trader