I signed up for an insurance policy online about a month ago, and once I had access to my client area, I noticed that my contract number was in the URL. So I did what any curious person would do, and tried substituting it for a different one. It worked, I could see another client’s data, with no authentication.
This was a little concerning, so I called the company to tell them, they told me their website was very secure, but that they’d look into it.
I spoke to them another couple of times as I cancelled my policy and I mentioned it each time, again being told that their website was very secure. Meanwhile I could access contracts, vehicle registration documents, bank details, national ID cards etc etc. Everything.
I figured their regulatory body (ACPR) would be interested to hear this, so I called them, only to be told, ‘no it’s not our problem, call the national bank’ so I called the national bank, who told me to call the ACPR. God bless France.
After a bit more chasing around, I opened a complaint with CNIL, an organisation with the tagline “To protect personal data, support innovation, preserve individual liberties”. Their average response time is apparently 2 months. So far, nothing has happened.
So, thank god we’ve got these wonderful new laws to protect our personal data. Meanwhile, my name, address, drivers license, email address, phone number, bank details, car registration document and signed insurance contract are available for anyone who has an ounce of curiosity – as are those of every other client of this insurance company.
If I was less concerned about the legal ramifications, I’d write a little script to scrape all their clients email addresses and send them a message to let them know their data is effectively public. Maybe then something would be done, like me being arrested.
Does anyone have a better idea of how the GDPR (or any other law) can be used to actually protect personal data, or does it only extend to endless emails saying ‘we care!’ ?