Compaq’s e-commerce site athome.compaq.com and the UK sportswear e-tailer official-merchandise.co.uk operated in similar ways. Both sites allocated each customer a specific URL for checking his or her account details such as name, address and telephone number. Each URL included the order number. By simply changing the order number in the URL, one customer could access the accounts of the others. All customer data was held in an unencrypted database.
Failure to adequately secure such customer infomation contravenes the Data Protection Act 1998 which provides that:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
The Register noted that no credit card details were exposed and that both sites acted quickly to repair the flaw when alerted to the problem. The news site recommends that the sites should be encoding their database queries and encrypting customer information on secure servers.