Jack Wills Best Summer Job – Data Leaked
A friend of mine was voting for his friend on a contest for a Jack Wills Summer Job (http://www.jackwills.com/en-gb/bestsummerjob and #BSJIGB on Twitter) on Tuesday and as a web developer he was curious what voting system they were using and in fairness so was I.
Armed with his developers toolkit he decided to go take a look. The first thing he noticed was that on the page source code he could see, there was no references to the voting package used. So he fired up Firebug (a developers toolkit – highly recommended!), and was surprised by what he saw.
One thing I have learnt is get in touch ( Matt Cutts taught me that ) so tweeted I one of the girls in the competition, she was pretty shocked but confirmed the data was her personal data via Email.
“Yes, that is all the info I entered into the application for the Jack Wills job.”
So I rang Jack Wills seeming how twitter hadn’t worked – sadface:
While on the phone I asked James one of the inhouse programmers at Bronco to have a look, as I was concerned that the data leak was Facebook and not Jack Wills ( maybe because I like the JW brand and well my son is a massive fan ), James soon confirmed my worst suspicions it was Jack Wills, the data was coming from a JS File, but they where only showing the address on the site but the JS file actually contained :
Home addresses, mobile phone numbers and much more personal data I have added the xxx’s in, but here is the structured data we found :
“Id”: 1593,
“FacebookUserId”: 5xxxxxxx9,
“FacebookUser”: null,
“SeasonaireJobId”: 1,
“SeasonaireJob”: null,
“SelectedPhoto”: “http://photos-d.ak.fbcdn.net/hphotos-ak-prn1/xxxxxxxxxxxx.jpg”,
“FullName”: “Phoebe xxxxxxxxxxxxxk”,
“DOB”: “/Date(7xxxxxxxxxx000)/”,
“Email”: “phoxxxxxxxxxxxk@googlemail.com”,
“TelNumber”: “0xxxxxxxxx6″,
“Gender”: “F”,
“GraduationDate”: “/Date(1xxxxxxxx0)/”,
“TwitterHandle”: “@PhoxxxxRF”,
“InstagramAddress”: “@PHxxxxxF”,
“UniversityName”: “Sheffield Hallam University”,
“UniversityMailingAddress”: “txxxxxxxxxxxx rn”,
“UniversityZipCode”: “SxxxB”,
“HomeAddress”: “Beech xxxxxxxxxxxxxx Cheshire”,
“HomeAddressZipCode”: “Sxxxxxx”,
“FullTimeStudent”: xxx,
“ValidDriversLicense”: xxx,
“ValidUSPassport”: xxx,
“CanBeEmployed”: xxx,
“CountryOfCitizenship”: “GB”,
“AcademicInterests”: “xxxxxx”,
“NextOnBucketList”: “xxxxx”,
“BestSummerEssay”xxxx”,
“ApplicationComplete”: true,
“DateCreated”: “/Date(xxxx)/”,
“LastUpdated”: “/Date(1xxxxxxx)/”,
“StoreRef”: “WEBJWUK”,
“CurrencyRef”: “GBP”,
“EmailOptIn”: xxxe,
“IsShortListed”: xxxx,
“Rating”: null,
I glad to say that Jack Wills team quickly fixed the issues and no real harm was done, but the lesson we all should learn is test test and test again! The last thing these young people need is their personal data expose to the world or unwanted attention from undesirable types.
Secondly if someone tells you, you have a data issue even on twitter engage and fix the issues ad people could easily have read Barry’s tweet.
Thanks to Barry Cooke at QDOS Digital and Lotte for confirming the data was in fact true.
Dave
1 Lonely Comment
Tomas Bishop - http://2createabizonline@gmail.com
You did the right thing david by contacting the owner and addressing the problem to him. A lot of people would of took advantage of the situation. And thanks for the lesson! I’ll be carful in the future.