Security blunder rocks Ryanair

Credit card details not kept confidential

Written by Liesbeth Evers

Network IT Week, 06 Nov 2001

Ryanair has admitted its online recruitment site has a serious security flaw that exposes job seekers' details to the eyes of crackers.

Sensitive personal information such as credit card details, health records and career history is collected by the unsecured site and sent in unencrypted email to the back-office.

The flaw potentially breaches the Data Protection Act, which came into force last week. Chris McAlpine of the Information Commissioner's Office said: "The transfer has to be secure, especially for sensitive data."

Phil Robinson, managing consultant at Information Risk Management, argued the inclusion of credit card details made the vulnerability "very serious".

Unlike personal data, credit card details can easily be turned into money.

The only way a pilot can apply for a job at Ryanair is via the internet. The recruitment data contains credit card information because Ryanair refuses to consider applications unless a £50 fee is paid.

Embarrassingly for Ryanair, this vulnerability is easy and cheap to avoid.

For SSL security, the encryption feature in the software should be switched on. The company then has only to spend a few hundred pounds on a digital certificate to ensure data is sent to the correct party instead of a rogue server.

"Securing a site through SSL is usually a very simple job," said Robinson.

"Without it, a network sniffer can pick up unsecured data passing through a cable modem or the local site of the ISP. Or someone can spoof Ryanair's domain name and set up a rogue server to receive data from an imitated site."

Michael O'Leary, chief executive at Ryanair, admitted the security blunder to the BBC last week. He promised the security leak would be fixed by this week. Ryanair has since refused to comment on the situation, although O'Leary has argued that it had not deterred job applicants from using the site.

Ryanair's recruitment site states explicitly that applicants' information will remain confidential.

"That is clearly incorrect," said Robinson. "The way the data is submitted is totally unconfidential."

Advertisement

Enjoyed this article? Help spread the word:

Comments

Have your say on this article

Also read

Related articles

White papers

Related jobs

More Accounting jobs

Most read

Most commented

Special Reports

Latest

Spotlight

Management Consultancy Top 75

21st annual survey shows another £1bn on revenues

bryan clark, chief information officer at kpmg europe

Profile: Bryan Clark, chief information officer at KPMG Europe

Getting the right infrastructure is instrumental in consolidating KPMG’s European...

Apprentices, Arnie and Archos in the latest YP

September issue of Young Professional appraises the year for our...

Find your next job

Find your next job

Advertisement

Salary Checker

Newsletters

Sign up here for the very latest news delivered to your inbox. Choose from the following options:

Search white papers

Search white papers

Advertisement

Have your say

THE BIG QUESTION: FAIR VALUE
Should fair value accounting be suspended in the wake of the market crisis?
Yes, it's a big part of the problem
No, don't shoot the messenger

Job of the week

More finance jobs

Advertisement

Your next job