Today I discovered something shocking, amusing, and embarrassing for the supplier & end customers. I was hunting using a search engine for a summary of a talk I did years back. Up came a result with my name, address and order details in a CSV online. It was within a CSV of an outsourced logistics firm which an online training provider used to post me two items this year.

The CSV contained thousands of order and dispatch records. I went back a step to the directory (clients.xxxxxx.com) and found twenty CSV’s along with three sub folders. On opening a random CSV, up came many fields including two fields with odd and rude words. Hmm. What have I just stumbled across?

An order list for an adult store along with item ordered, name, address, country, dates, tracking number and a lot more. I was trying to keep a straight face then tracked down two directors at the firm and emailed them. Thirty minutes later was an email reply. Guess what they said?

“We are currently investigating the issue with our hosting provider. We take customer security very seriously”. This is a bit like politicians saying for “hard working people”. It is repetitive and boring.

The moral of the story? Don’t put internal data on a public website and if you are stupid enough to do so, hide it and set permissions properly. Supply chain and outsourcing is often a weak link. Do technical and governance security audits of suppliers.