Detailed personal information about hundreds of Air Miles cardholders has been available on the Web free for the taking throughout the month of January and possibly for as long as a year.
The incident has renewed calls for tough laws holding corporations responsible for customer data they collect.
A Toronto software developer discovered last year that files containing the names, card numbers, home phone numbers, and addresses of hundreds of Air Miles cardholders was left unprotected at the Air Miles Web site (www.airmiles.ca).
Terry Hamilton assumed then that it was a fluke and would be quickly corrected.
On Wednesday, Mr. Hamilton, who is president of iAssist Computing Services Inc., visited the Air Miles Web site once again to register for the program.
He discovered that a directory on the Air Miles computer containing detailed customer data was easily accessible. The data in those files could have been retrieved by anyone with a basic understanding of the structure of a Web site and read by anyone with a word processor.
The unprotected directory Mr. Hamilton found is known as the cgi-bin directory. On most Web sites, the cgi-bin directory contains databases such as customer accounts, catalogues, or ordering data.
"To have that directory exposed is the most basic flaw in setting up any kind of Web services", Mr. Hamilton said. "This is a joke. It's something that should have been corrected long ago."
On Wednesday, Mr. Hamilton downloaded the data in the Air Miles cgi-bin directory, looked at the contents, and then notified the company and media outlets in Toronto about the security breach.
John Wright, vice-president and general manager of the Air Miles Business Program, said the company shut the Web site down yesterday morning as soon as it was alerted to the breach, and is trying to find out what went wrong.
The Web site is not connected to the main database containing information on the 5 million Air Miles members, Mr. Wright said.
He said the company has so far determined that only one person retrieved the information from the site in January, and that would be Mr. Hamilton.
He said the investigation will try to determine how long the files were unprotected and how many people might have retrieved it. The site will remain closed until the investigation is complete, he said.
The Air Miles site was designed and is maintained by staff as well as contractors. Mr. Wright refused to say who the contractors are.
Air Miles, the popular program operated in Canada by The Loyalty Group of Toronto, allows cardholders to collect points based on the amount of their purchases made through, for instance, Bank of Montreal Mastercard, Shell gas stations, and Blockbuster video stores. The points can redeemed for air travel and other services and merchandise.
There are 5 million Air Miles cardholders in Canada.
It appears that the unsecured files contained information on several hundred Air Miles cardholders, believed to be cardholders who visited the Web site at some point. Mr. Wright said not all the names in the files were those of cardholders. Some were people who had visited the site and taken part in a survey.
The information in the files included: Air Miles card number, name, home phone numbers, e-mail addresses, business name, business phone number, the number of employees at the business, the sales revenue of that business, and other data.
"I'm shocked", said Gareth Jones, an Air Miles cardholder whose personal data was in the files downloaded by Mr. Hamilton.
"I find that pretty disturbing. My home phone number isn't published in my local directory. I'm in the construction trade. I don't want a contractor phoning me up at four in the morning because he's upset with me," said Mr. Jones, who is also president of Medgar Sales Ltd., a wholesaler in Hamilton, Ont.
Dwight Tiedeman, a cardholder from Fox Creek, Alta., was unconcerned about the breach. He said he wouldn't mind if someone else had his Air Miles number. By his reasoning, if someone else was using the number, he would accumulate rewards more quickly.
He was then told that someone else might try to use his Air Miles number to claim those rewards. "Hmmn. That wouldn't be such a good thing."
Philippa Lawson, counsel for the Ottawa-based Public Interest Advocacy Centre in Ottawa, said the security breach is the kind of nightmare privacy advocates had been fearing.
"The Air Miles company are clearly in violation of a basic principle of privacy protection that Canadian industries have adopted, that is being held up across the board by everyone as a very reasonable standard to apply", Ms. Lawson said.
Privacy policies are left up to individual corporations, although legislation currently before the House of Commons will make the protection of private customer data mandatory.
The federal legislation is based on the Canadian Standards Association's Model Code for the Protection of Personal Information, recognized as a national standard in 1996. At that time, the code was a voluntary one; companies could opt in and register but they were not compelled to.
"It's been over two years that this thing has been in place. How many businesses have subscribed to this? None. Zero have registered with the CSA for this code", said Ms. Lawson. "The voluntary approach is not working. The incentive is not there."