Owners’ details leaked in online service video
MINI driver Andy realises dealer’s e-mail link to video of service on his car isn’t secure
Ensuring customer data is stored securely online is vital for businesses, with every collection of personal details a potential target for computer hackers.
As more aspects of car ownership go digital, there’s more and more information about owners and their cars available. One of the latest tools is video servicing, where garages provide drivers with a short clip of repairs and inspections.
Reader Andy Twine, from Reading, Berkshire, received one of these for a health check carried out during the service on his MINI Cooper from his local garage. The video was stored in a link sent via e-mail, with no password requirement, yet it contained details of Andy and his car.
Concerned, Andy did some digging and found a loophole in the software used, before contacting us to flag up the issue. The system in question was CitNOW, which allows dealers to quickly film and distribute videos to customers, whether they’re selling or servicing a car.
Andy told us: "I am able to easily view details and videos of other cars at garages nationwide.
"I can determine the name of the person, their car registration and which garage it is currently being serviced at. Any unsavoury characters with this information could then call the garage, say they would send someone else to pick up the car, and go to pick it up before the actual owner arrives."
We contacted CitNOW to reveal the loophole and, with Andy’s help, close it. Following several discussions, CitNOW informed us the technology had been updated to fix the security flaw. Andy also confirmed he was no longer able to access it.
A spokesman for the video platform told us: "CitNOW would like to thank your reader for flagging up this issue and encourages anyone in future to get in touch directly for the quickest possible resolution.
"CitNOW takes security and privacy concerns very seriously, and endeavours to rectify any issue as soon as possible. In this case, a fix was made available and deployed on to CitNOW’s global services, following notification of the technical details from your reader."