Loss of personal data.
A security fault in an online competition meant that the personal details of individuals who registered could be accessed by user other than the data controller.
Undertaking issued to ensure that the data controller will obtain sufficient guarantees from the data processor that it will conduct appropriate web application security tests in relation to any web applications and that compliance with these guarantees are ministered.
Reason for action
It was felt that insufficient security testing had been performed on the web application intended for the competition, despite a written contract being in place between the data controller and data processor.
17 Apr 2012
View PDF of the Toshiba Information Systems UK Ltd Undertaking (Via ICO Website)
View PDF of the Toshiba Information Systems UK Ltd Undertaking (Breach Watch Archive)