Website glitch exposes Dodo customer details
A security flaw exposed up to 500 Dodo Power & Gas customer statements on its website on Friday.
Details included customer names, addresses, power usage details and account numbers.
The flaw was revealed when a Dodo customer contacted Fairfax to say she was able to change the randomly generated eight-digit number of her statement's URL on the Dodo Power & Gas website to another, similar one to see other customers' statements.
News Limited has reported similar flaws at Australia Post, which allowed customers of the postal service to see the names, addresses, businesses, email addresses, landline and mobile numbers of Australia Post recipients by manipulating an Australia Post web portal's URL.
Dodo chief executive Larry Kestelman said Dodo regretted there was an "IT issue" that had caused a "small number of customer statements to be exposed". He said the problem had been fixed and Dodo would conduct an investigation to understand what caused the problem and how to stop it from happening again.
"The issue [was] that when a customer manually requested a copy of an invoice or statement it was temporarily placed on our statements website and should have been deleted immediately," Mr Kestelman said. "Instead, the statements remained [online] for a number of hours."
This meant users who changed the URL of their statement, like the one who contacted Fairfax, could see other customers' statements.
"This has now been corrected," Mr Kestelman said.
Dodo managing director Boris Rozenvasser said the problem exposed between 100 and 500 Dodo Power & Gas customer statements. He said the problem came about after a script failed to perform its deleting duties.
"It's not a good thing that has happened but it was a very, very small bug that [caused it]," Mr Rozenvasser said. "It was meant to be deleting [statements] immediately."
Security expert Paul Ducklin, of Sophos, said a better way of giving customers statements was via email.
"Since the [statements] are reasonably sized, my preference would be to receive it as a PDF in an email, with the option to have it encrypted," Mr Ducklin said.
"Or, better yet, with the default being encryption and an option to opt out."
Security flaws such as the one found in the Dodo Power & Gas website are not uncommon. The federal government is considering tackling them with mandatory data-breach notification laws.
Last month, federal Attorney-General Nicola Roxon released a discussion paper to seek comment on whether organisations should be required to report data breaches, what kind of breaches should have to be reported, who should be notified and what penalties should apply for failure to comply.
This reporter is on Facebook: /bengrubb