I was searching online for some information about a school. I came across a Comma-Separated Values (CSV) file. This is a text file that can be read using a variety of programs such as a text editor or a spreadsheet program. This file was on a certain school website and apparently was generated from an online form through which parents were applying for slots in the school for their children. The file contained the parents’ names, email addresses, telephone numbers, names of the children and their dates of birth, and other information.
I wrote an email to the school informing them that their online application form was storing data in the CSV file and that this file was accessible to anyone on the Internet. I pointed out that this information could be used for a cyberattack. I further pointed out that the availability of the file online exposes the school to hefty penalties from the Office of the Data Protection Commissioner.
I suggested that they remove the file and change how the online form handles information.
Now I wait to see if the school will respond.
Is your website exposing your clients’ private data?