Jack Wills Best Summer Job – Data Leaked

by David Naylor
See Dave Speak SMX London

A friend of mine was voting for his friend on a contest for a Jack Wills Summer Job (http://www.jackwills.com/en-gb/bestsummerjob and #BSJIGB on Twitter) on Tuesday and as a web developer he was curious what voting system they were using and in fairness so was I.

Armed with his developers toolkit he decided to go take a look. The first thing he noticed was that on the page source code he could see, there was no references to the voting package used. So he fired up Firebug (a developers toolkit – highly recommended!), and was surprised by what he saw.

JW10

One thing I have learnt is get in touch ( Matt Cutts taught me that ) so tweeted I one of the girls in the competition, she was pretty shocked but confirmed the data was her personal data via Email.

“Yes, that is all the info I entered into the application for the Jack Wills job.”

So I rang Jack Wills seeming how twitter hadn’t worked – sadface:

bazza

While on the phone I asked James one of the inhouse programmers at Bronco to have a look, as I was concerned that the data leak was Facebook and not Jack Wills ( maybe because I like the JW brand and well my son is a massive fan ), James soon confirmed my worst suspicions it was Jack Wills, the data was coming from a JS File, but they where only showing the address on the site but the JS file actually contained :

Home addresses, mobile phone numbers and much more personal data I have added the xxx’s in, but here is the structured data we found :

“Id”: 1593,
“FacebookUserId”: 5xxxxxxx9,
“FacebookUser”: null,
“SeasonaireJobId”: 1,
“SeasonaireJob”: null,
“SelectedPhoto”: “http://photos-d.ak.fbcdn.net/hphotos-ak-prn1/xxxxxxxxxxxx.jpg”,
“FullName”: “Phoebe xxxxxxxxxxxxxk”,
“DOB”: “/Date(7xxxxxxxxxx000)/”,
“Email”: “phoxxxxxxxxxxxk@googlemail.com”,
“TelNumber”: “0xxxxxxxxx6″,
“Gender”: “F”,
“GraduationDate”: “/Date(1xxxxxxxx0)/”,
“TwitterHandle”: “@PhoxxxxRF”,
“InstagramAddress”: “@PHxxxxxF”,
“UniversityName”: “Sheffield Hallam University”,
“UniversityMailingAddress”: “txxxxxxxxxxxx rn”,
“UniversityZipCode”: “SxxxB”,
“HomeAddress”: “Beech xxxxxxxxxxxxxx Cheshire”,
“HomeAddressZipCode”: “Sxxxxxx”,
“FullTimeStudent”: xxx,
“ValidDriversLicense”: xxx,
“ValidUSPassport”: xxx,
“CanBeEmployed”: xxx,
“CountryOfCitizenship”: “GB”,
“AcademicInterests”: “xxxxxx”,
“NextOnBucketList”: “xxxxx”,
“BestSummerEssay”xxxx”,
“ApplicationComplete”: true,
“DateCreated”: “/Date(xxxx)/”,
“LastUpdated”: “/Date(1xxxxxxx)/”,
“StoreRef”: “WEBJWUK”,
“CurrencyRef”: “GBP”,
“EmailOptIn”: xxxe,
“IsShortListed”: xxxx,
“Rating”: null,

I glad to say that Jack Wills team quickly fixed the issues and no real harm was done, but the lesson we all should learn is test test and test again! The last thing these young people need is their personal data expose to the world or unwanted attention from undesirable types.

Secondly if someone tells you, you have a data issue even on twitter engage and fix the issues ad people could easily have read Barry’s tweet.

Thanks to Barry Cooke at QDOS Digital and Lotte for confirming the data was in fact true.

Dave

Making your inbox more interesting
Looking to keep up to date, or find out those things we can’t mention on the blog? Then sign up to our semi-regular newsletter. Don’t worry, we won’t spam you.

1 Lonely Comment

Get in Touch

Things are better when they’re made simpler. That’s why the David Naylor blog is now just that; a blog. No sales pages, no contact form - just interesting* info about SEO.

If you’d like to find out more about the Digital Marketing services we do provide then head over to Bronco (our main company website) to get in touch.

Get in Touch Today * Interestingness not guaranteed
Part of the Bronco family