Security hole found in top price-comparison sites

Exclusive: PC Pro investigation reveals price-comparison websites are failing to protect customers' personal data

Davey Winder
1 Sep 2010

A PC Pro investigation has revealed a gaping security hole in leading price-comparison websites.

While sites such as Confused.com and Comparethemarket.com might save you time and money, the true cost could be higher than you think courtesy of a basic flaw when it comes to securing customers’ personal data.

In order to gain full access to the entire quote history of an account holder all that was required was their email address, surname and date of birth

Following a reader tip-off, we visited Comparethemarket.com and clicked on the retrieve a quote button. In order to gain full access to the entire quote history of an account holder all that was required was their email address, surname and date of birth - details that could be easily harvested from social-networking sites such as Facebook.

This was enough to unlock a veritable treasure chest of further valuable data including telephone numbers, car registration and make details, occupation, personal details of spouse as well as property details where house insurance quotes were available. And all of this without any need to enter an account password or click a link in a validation email sent to the account holder's address; just click the submit button and all that data appears on screen.

Confused.com was little better: all we needed to do was fill out a simple web form to reset the account-holder password and access the quote history for anyone who had 'forgotten their password' which could, of course, include identity thieves.

This time all we needed to change the account password and get instant access to the quote-history data was an email address, date of birth, postcode and surname. Again, all information that is in the public domain and easily obtainable. The account holder would be none the wiser - no email is sent to even confirm the password had been changed.

Privacy policies

The Comparethemarket.com privacy policy states: "We comply with and are registered under the data protection laws in the United Kingdom and take all reasonable steps to prevent any unauthorised access to your personal data," although the evidence we have uncovered would suggest otherwise.

Meanwhile, the Confused.com privacy policy states: "Our security procedures mean that we always require proof of your identity before we will disclose information to you. Proof of identity includes your password, which is why you should never reveal it to anyone," except anyone can change that password with the minimum of fuss and without the account holder being any the wiser.

PC Pro contacted both Comparethemarket.com and Confused.com last week to inform them of the findings of our investigation and to enable them to improve their security before we published this story. We received no reply to our communications from Comparethemarket.com, but a spokesperson from Confused.com told us: "We take our customers' data protection seriously. We are currently in the process of upgrading our password reset and retrieval methods to enhance security for our customers including use of additional security questions, and this will be available in the near future."

At the time of publication neither company has made any changes to the security of the quote retrieval process.

To read the full version of this investigation, read Davey Winder's Real World Computing column in issue 194 of PC Pro, on sale mid-October.

Read more about: