Yesterday, I was curious as to whether my e-mail address was on any spam lists, so I Googled it. I was pleased to find few hits. However, I was concerned about one - what looked like a spammy list on the Dataman website. Clicking on the link, I was surprised to discover that the list appeared to be the result of an SQL injection. Surely a tech-savvy company like Dataman would take all possible precautions to ensure that doesn't happen? After all, their Privacy Policy states they do: Dataman promptly removed the page (I checked about three hours later, by close of business and it had gone) and I had a brief reply from Neil Parker first thing this morning: As this didn't really answer my questions (funny that he said to contact him if I had any questions, but ignored those I'd already asked!), I decided to delve deeper with the help of a friend. The first thing that was evident was that the site had a copyright date of 2011 - either their webmaster hadn't updated it since then, or they forgot to change the date whenever they update the site. The social media links don't work, and they misspelt LinkedIn! A look on the Internet Archive WayBack Machine suggests this current design went live in November 2011. This suggests that their webmaster isn't all that diligent when it comes to checking everything is as it should be. Unfortunately, they don't update the underlying elements of their site. They left the phpBB changelog in place, which indicates they are running phpBB 3.0.9 - a version released on 10 July 2011. The current version is 3.1.7-PL1. Likewise, a handy online tool shows they are running Magento 1.4.2.0, released 15 December 2010. The current version is 2.0.2. Not only that, when they made the current design live in November 2011, Magento was already on version 1.6.1.0! A search on an exploit database will reveal that both the phpBB and Magento versions that Dataman are running are vulnerable to injection attacks. Whilst my e-mail was, as far as I am aware, obtained via their software update mailing list via such an attack, it is possible that further personal information of customers could have been obtained. We believe the offending page had been up since somewhere between April and September of last year. It is ironic that a software update mailing list "for details of the latest releases" of their firmware was hacked due to their failure to update software on their server! Their Privacy Policy annoys me. It is clearly a document covering their back, but they do so by making statements that are not true. Surely the best technique for keeping data on your server secure, and indeed an industry standard practice, is to ensure your software remains up-to-date? There were 710 e-mail addresses listed on the page, including well-known companies and government addresses. If you are on Dataman's mailing list, or indeed if you have purchased anything from their website, you might want to contact them to ascertain whether any of your information has been compromised.
