[arielm]

While your point is valid I think you're getting doe voted because you're completely forgetting that the probability of someone malicious finding out about this vulnerability and exploring it without disclosing is quite high. Going through legal channels would just mean the api will be live for longer. Lawyers like to take their time.

Instead, the disclosure resulted in the API being shut down within the hour. A much better result IMO.

[clobec]

I don't disagree with you but I still think I have a good point.

He should have gone to the ICO straight away as well as report directly to moonpig then if it wasn't fixed within x amount of time, take next escalation step (which may or may not be public disclosure). Given that it's midnight in the UK now, we're lucky that they acted so quickly (assuming the offline API isn't just scheduled downtime).

Going public had no guarantee that would have taken the API offline. I guess taking risks like that is easy when it's now your own data that's being compromised....

[johngd]

I'll add my two cents a non-Brit: I have never heard of the ICO until this thread. Someone please correct me, but the closest thing we have in the states may be contacting the Attorney General?

I say this thinking of the argument the rest of the world makes when the DMCA threat is used against a non-US entity.

[DanBC]

The ICO is a bureaucrat with responsibility for enforcing the Data Protection Act. There is a small amount of overlap with the Surveillance Commissioner who oversees all surveillance, especially under RIPA (regulation of investigatory powers act).

The ICO is reasonably good - I don't get any (personal) junk telephone calls or junk mail because of our laws about how companies handle my data. (This seems like a trivial example now I've typed it! But it did mark a clear difference between before and after ICO).

https://ico.org.uk/

The website and reporting is much better than it used to be. ("Please download, print, and complete this MS Word document, then post it to this address")

[clobec]

Moonpig is UK based. He could have looked up how to report a data breach in the UK.

Not sure what the DMCA reference is about. I understand that people use DMCS on companies that are not US based therefore it has no power. Still not sure why you mentioned that though.

[johngd]

Yea, you're right; I thought that some context might be needed after I posted.

They aren't related whatsoever, however the thought process of being put into the same position as the security research in this article is what made the connection for me. Assuming that the author wasn't from the UK (he probably is, but bare with me), as someone from the States I would have assumed that having an email exchange with the company was more than enough especially if there a reply on their end.

From my perspective, again knowing nothing about UK law (as much as people in the UK, China, or Fiji may know about US Law), I wouldn't know where to turn after that. Maybe a teaser post, without disclosing everything? If it weren't for the fact that the author stated that he had several two-way conversations with a representative of the company, I would have more sympathy for moonpig.

Speaking of which: How effective is the ICO?

[troels]

The ICO is pretty well known in the UK though. I'm not from the UK and I know about them. (Mostly because of their role in the whole eu-cookie-law farce)

[scott_karana]

The guy who found the vulnerability in 2013 could have simply reported it to authorities at the time. If their turnaround was earlier than 2015, it would have worked out better, yes?

[arielm]

I'm guessing he didn't think the company wouldn't fix such a huge issue...

[scott_karana]

He could have reported this to the Information Commissioner's office in 2013, and then if either the company or the IC failed to do anything, then disclose, at this exact timeline.

Then, at least, the legal system would have also been given a chance to resolve this without full disclosure and potential doxxing.