Busy Bees childcare voucher data leak plugged - Update
A UK child care voucher scheme has been taken off line after user Nick Gibbins found that the "web" application was exposing personal data for over one hundred thousand users. Gibbins found that the Busy Bees childcare voucher system was actually implemented using Citrix Metaframe, exporting the user interface from a Windows 2000 application to the desktop, by means of a Java plug-in on the web page.
On further examination, Gibbins then found, by clicking on an empty area of the application display, that a menu popped up which gave access to the data in the database. Gibbins was able to search on terms like 'sort code','account number','BACS reference' and 'address'. Even worse, selecting any part of the search results form and pressing return opened a Windows 2000 file open dialogue, which gave access to any files on the Windows 2000 system. Gibbin says that he found the email addresses of every Busy Bees customer, payment logs and service logs with NI numbers, all without opening any DB files.
Gibbins contacted Busy Bees, who have now taken the voucher site down "for maintenance", but in his blog post he lists a number of other corporate and public sector customers of the company who may want to check on the security of their data.
Update: Since writing this story Gibbins has "friends only" locked the blog posting, awaiting a more concrete response from Busy Bees. See "Busy Bees apologises for potential data leak" for their official response.