Busy Bees apologises for potential leak
Following a previous report on The H, Busy Bees, a company that manages childcare vouchers for a number of organisations, has confirmed that there was a a potential data breach of their web site. A Busy Bees user had found that the Citrix Metaframe based system used for the site allowed access to system and data files, via the Java based web plug-in that was the public facing web front end.
A spokesperson for the company said that the vulnerability had only existed for twelve hours, after an update had opened access to Windows 2000 file open dialogues and that when alerted to the problem they immediately closed the site down. The site has since remained off line and is being replaced "next week" with a web application hosted on Microsoft's IIS6 server.
When asked why Busy Bees didn't roll back the system to the previous, secure version, the spokesperson said that Nick Gibbins, who had discovered the problem, had expressed worries about the Citrix Metaframe implementation. Given that the company can also be contacted on the phone, taking down the site for a few weeks while a new system, which was already in development, was deployed, was the best solution. Busy Bees say that there was no data leakage and thanked Gibbins for his prompt reporting of the issue.
The Busy Bees spokesperson apologised on behalf of the company, saying it had not seen a problem like this before and that it takes data security and privacy seriously.