Visitors to the Virgin London Marathon 2012 website were able to obtain the home and email address of any of the 38,000 entrants including many celebrities, politicians and members of the armed services (http://bbc.co.uk/news/uk-england-london-17820700 retrieved 26th Apr 2012 1040 UTC).
This is a very severe failure. It’s important to realize that although it caused a security breach it is not, in testing terms, a security failure but a functional one: as far as is known no attempt to penetrate the system was involved. A genuine user described as “a member of the public” saw her home address displayed and alerted a TV reporter.
No details are available and Virgin has refused to comment so we will probably never know more, despite the Information Commissioner’s promise to investigate. But we will speculate about what happened nevertheless.
The BBC report says “The details were available on the section in which commemorative medals, with individual race times inscribed, could be ordered”. This functionality is accessed via the form at http://virginlondonmarathon.com/timing-bar (retrieved 26th Apr 2012 1042 UTC) which accepts the user’s runner number (worn on their chest during the race, which was televised and pictorially reported worldwide) and last name. The next screen is another form which accepts delivery address details. So it seems likely this form was pre-populated with data.
There are many unsubstantiated stories of similar disasters. In one of the best-known, a requirement for a banking site read “when the user clicks 'Contact Us' email address, telephone number and postal address must all be displayed”. A developer interpreted this to mean the user’s rather than the bank’s details. A customer accessed her account, reputedly from an Internet cafe near the Pantheon in Rome where she was on holiday. Strangers nearby saw her personal details: they could have told an accomplice in her home country of a good prospective address for a burglary, or attempted some ID-related crime. She took legal advice and received a settlement.
Sadly this root cause theory, which would allow us to blame poor review of requirements as testers (rightly) love to so much, does not fit the current case well. It seems far more likely that the error occurred during design (the form was depicted already partly filled in by the user and the developer implemented it thus but filled in automatically) or coding (the developer built what seemed like a good usability feature made easy by the environment without sufficient consideration of the implications). In either case, the blame lies not with developers but with management. Even a novice tester executing the most cursory of tests would almost certainly have raised an incident immediately the second form was displayed. So it appears to have been deployed with no testing at all.