Your Privacy is an Illusion

WhitehatWhat would you do if your laundry-shop published your laundry bills online, along with your name, address and phone number, for the whole world to see?

 

A couple of months ago, while trying to understand Pakistan’s perpetual energy crisis situation, I entered the LESCO website hosted at http://www.lesco.info/. As soon as I clicked the Customer Service link, I was teleported to a consumer privacy and security hell. I closed my browser after going through a few pages, hoping that the website would disappear like a bad dream, and tried to forget about it. Two months later, the website is still online, so I think LESCO doesn’t have any plans to take it offline. Meanwhile, I have gone through the five stages of grief, laced with a few non-standard stages like ‘hilarity’ and ‘helplessness’ that Kubler-Ross probably hadn’t thought of, so now I can write about this joke without affecting my blood-pressure and general sanity.

When you enter the webite, you are rewarded with a pre-filled login form. You heard me right – the form is pre-filled with the username “Guest” and password “*******” (hehe) for your convenience. The links at the top are pointing to a certain firm called Clicksoft and are broken, but you can still visit the Clicksoft website to hear their amusing pitch:

ClickSoft is a groundbreaking software development organization providing high-end technical solutions. Our customers benefit from our vast experience of Enterprise Resource Planning (ERP) software solutions for demanding mission critical environments in, retail and wholesale, manufacturing, financial services.

I will not pass any judgement on their claims, but I do wish that their prospective clients do a little research on them before handing them any business.

 

After you “log on” to the LESCO /mc/ website homepage as a “Guest”, you are handed a search form, but not just any form – this one has the special power of letting you search the complete LESCO database!. You can search by any field, including customer name, their address and even their neighbor’s bill. By the way, from the search forms, it looks like many people are born with “through”, “Col” and “Officer” in their names.

I am a big proponent of transparency, but LESCO has taken it a bit too far! You can search in Applications and you can search for Consumers and even browse various LESCO locations. The real gem, though, is the Feedback Form. It allows you to “Change Password”! Yes, the same password that was embedded in the login page (*******)… A classic case of WTF!

If you think it ends here, you are wrong, LESCO has one more surprise for you. Visit the Reports section and you will come across URL masterpieceslike:http://www.lesco.info/mc/default.php?action=35&where=%20where%20c.app_date%3C=’2008-05-06′
%20%20and%20substring(c.loc_code,2,1)=’2’&circle=&desc=Demand%20Note%20Paid
All ten year old script kiddies and their pet parrots know the kind of malicious things that are possible with a little bit of SQL Injection, so I will not spell them out here, but apparently, the “Regional Training Centre LESCO”, who own the website, are still trying to figure out how to create websites. With employees like these, who needs corporate saboteurs?

So, coming back to the original question (“What would you do if your laundry-shop published your laundry bill, along with your name, address and phone number online, for the whole world to see?”), if your answer is “Nothing.”, I will understand. The rising oil and food prices have probably pushed things like data privacy towards the bottom of the list of things to worry about. Consider yourself lucky though, if a telemarketer discovers this treasure trove and a vaccum cleaner salesman comes aknocking at your door two days after you apply for an electricity connection. It would certainly be better than having your identity stolen. and a lot more entertaining if you are like me.

I did some research on consumer privacy and identify protection in Pakistan to see where the consumers (that’s you and me) stand, and discovered that Pakistan is yet to have a consumer rights protection law. Besides Babar Bhatti of telecompk, who writes about the topic frequently, and Dr. Awab, who urged me to write this post, I did not find any Pakistani bloggers who have shown serious concern about consumer data privacy in Pakistan on their blogs (though my google search session was brief). I did stumble upon websites for entities like Consumer Rights Commission of Pakistan and The Network, but have yet to read what they are all about.

On the bright side, incidents like this make one think that perhaps the lack of ecommerce in Pakistan is actually a blessing in disguise. What do you think?

PS. For those too busy to visit the actual website, I’ll try to upload some screenshots soon.

PPS. No bytes were harmed or abused in the writing of this post.