0

I am registered to a site which doesn't manage password correctly. It is a user area for a company that provides services of some sort and which uses the area to show details of the contracts and for payments.

Now, if I forget my password, there is a procedure that allows me to gain access to my area again. Problem: they email you your password back. And I cannot think of a way such behavior could be implemented with it being secure (and I'm pretty sure it's impossible, happy to be proven wrong.)

How could I approach the company to let them know the problem? What I thought so far is:

  1. Just leave the site and don't use it. Well, the service is good and the user area is convenient, so this is really not an option.

  2. Reach their privacy department through an email address I found somewhere on their site. I would do that, but I am not sure what to say, and also I am not sure if I should disclose who I am or keep anonymity.

  3. Talk directly to the third-party privacy authority. Both I and the company are located in the EU and subject to GDPR, and in my country, there is a state-controlled authority that has some leverage in terms of privacy of data, and this looks to me like a big privacy concern.

I was thinking of starting with 2 and then move to 3 if no sensible response is received.

schroeder
  • 125,553
  • 55
  • 289
  • 326
bracco23
  • 123
  • 5
  • I would contact them through the provided E-Mail address. If they don't respond soon you can move over to the authority. So your apporach would be the right one. – Cyberduck Dec 10 '19 at 13:51
  • 1
    What your options are under GDPR falls under regulatory advice. You would need to work with your regulator. This problem, though, is not seen primarily as a privacy issue, but a security issue. Yes, GDPR expects "reasonable measures" to secure personal information, but privacy is a tangent. The duplicate link provides options. Mostly, it's "name and shame". – schroeder Dec 10 '19 at 13:59
  • FYI, there is a site for this. See https://plaintextoffenders.com/. – mti2935 Dec 10 '19 at 16:49
  • I would approach such a site by moving rapidly in the opposite direction – Mike Caron Dec 10 '19 at 22:42
  • just FYI I emailed and they answered that they use SSL and that is enough. Man, I wish I could punch someone in the face right now. – bracco23 Dec 11 '19 at 08:14

0 Answers0