Who to inform about online business not requiring authorization?
March 17, 2017 8:34 AM   Subscribe

I found rather accidentally an online business does not require authorization to view Order Information if you know the Order number. The information includes billing address, shipping address, phone number, email address, item's ordered, and price paid. I'm going to contact the business, but who else should I contact? Is there some governing body in charge of verifying things like this? The BBB?

They use Norton Shopping Guarantee, PayPal, BBB Accredited business, not sure if any of these should be notified?
posted by czytm to Computers & Internet (12 answers total)
 
I would not contact any third parties until you've been in touch with the business and given them a chance to respond, but if you really feel the need to report this to an external party, I would tell BBB.
posted by schroedingersgirl at 8:50 AM on March 17 [1 favorite]


Sorry for the follow up, to narrow the scope of my question - I don't want to damage the business's reputation or anything, I'm specifically wondering if there is another entity to inform, such that this entity would then be responsible for ensuring the business fixes the problem.
posted by czytm at 8:56 AM on March 17 [2 favorites]


The BBB is a subscription service that the business pays to be a part of. They have no legal authority over what a business does or does not do.

You could contact your state dept of consumer affairs.
posted by vignettist at 8:56 AM on March 17 [4 favorites]


Is there a reason you don't want to contact them directly? If it is a small business, they just might not be informed enough. Years ago I contacted a rather good sized business with similar information. They corrected it and everything was fine. A lot of businesses don't start out online, and can easily make (many) mistakes.
posted by Vaike at 9:21 AM on March 17


There's a link to report data privacy concerns to the FTC on this page.
posted by praemunire at 10:56 AM on March 17


such that this entity would then be responsible for ensuring the business fixes the problem

This isn't possible. You can report it to the relevant agency--IF there even is a relevant agency--but it's completely up to them whether they want to do anything about it.

I've filed complaints with the FTC where I handed them screenshots and cites to the rule that was clearly being violated, but nothing ever came of it.

But you can try. In addition to the FTC you can also try your state attorney general.

It would be helpful in making your complaint to check whether the retailer has a privacy policy and whether they are violating it. In addition, are you actually the harmed party (i.e. your info is susceptible)? That will strengthen your complaint and make it more of a tangible concern as opposed to just a random report.
posted by mama casserole at 11:01 AM on March 17 [1 favorite]


> I don't want to damage the business's reputation or anything

It's their carelessness in handling customers' personal information that is behind any risk of damaging their reputation -- this is all on them. You'd just be the messenger, if you chose to point it out. And I would report, first to them directly, and see what kind of response you're given.

Then review all the third-parties that they list like Shopping Guarantee, see exactly what those businesses and organizations say that their badge appearing on a site is supposed to guarantee. If you feel the site, as it exists now, doesn't meet that guarantee, call it to their attention, regardless of how the store responds. They should know that whatever screening and verification they do on sites that carry their seal of approval didn't cut it in this case.
posted by radwolf76 at 11:03 AM on March 17 [1 favorite]


It's a mom and pop business with a ten-year-old website. I can tell by the reference to "Norton Shopping Guarantee" and "BBB Accredited." Those badges typically appear next to the one that says "Works best with Microsoft Explorer 6."

There is no central agency that is going to make all mom and pop businesses comply to best practices (which even the biggest/best internet businesses don't entirely agree on).

There IS a standard on certain security practices, i.e. PCI compliance (https://www.pcisecuritystandards.org/). It has some force in that a major merchant is going to comply with it due to their merchant banking relationships, and an external audit is required. For most smaller businesses it's somewhere between "What's PCI?" and a handwave document (SAQ C) where you answer all the questions (self-report) on your site, tell your bank you've done the paperwork, and hope for the best.

Unless you've actually been damaged by this behavior in some way and have grounds for a suit, your sole remedy is to not buy from the site again. If you want to contact the business and let them know it does that, that's probably the best course, but expect to have an excruciatingly ignorant conversation...
posted by randomkeystrike at 12:34 PM on March 17 [5 favorites]


your sole remedy is to not buy from the site again.

I would also suggest, that once you have received your product, if they haven't fixed the vulnerability, badgering them to change your own personal contact information for that order number in their database, so that if and when they do get hacked, you're not vulnerable.
posted by radwolf76 at 4:27 PM on March 17


Understandable, but 9 out of 10 of these businesses would not know how to do that. Not even kidding.
posted by randomkeystrike at 5:58 PM on March 17 [2 favorites]


There have been cases where the person informing a business of a similar issue has been accused of hacking the site. You are putting yourself at risk by letting them know, unless you can do so anonymously.
posted by Sophont at 8:56 PM on March 17 [1 favorite]


Seconding the suggestion to inform them anonymously. Y'know, just in case.
posted by gakiko at 1:23 AM on March 19


« Older Learning to Surf in Mexico   |   Calling all makers Newer »

You are not logged in, either login or create an account to post comments