- "A security fault with the incremental numbering of the competition entrants registration URL created the potential for access to other customers' personal data for a two-month period," the regulator said.
When designing your own application you need to perform authorization checks to ensure that the user has permission to access the requested resource. The OWASP Top 10 gives more guidance on how to implement this.
It's surprising how few of the ICO undertakings are related to web site issues. You can look at the ICO's "Taking Action" page to get a feel for what type of issues cause problems.
Useful Links on this blog:
- Analysis of ICO "Taking Actions" for 2011
- ICO Data Protection Principles and Online Application Design
- OWASP Top 10 2010-A4-Insecure Direct Object References
- The Register: Tosh UK rewards competition hopefuls by exposing their privates
- ICO Press Release
- Undertaking signed by Toshiba UK (PDF)
- ICO Taking Action Page