How EKMPowershop leaks personal data
Online service providers have a duty of trust to protect the data we give them – but it appears that some take this more seriously than others. EKMPowershop.com is a long established, UK-based provider of ecommerce software and, just last week, I was signing up for trial accounts with all the major players, including EKM, as part of a forthcoming Real World column.
Imagine my surprise, then, at seeing the contact details of a complete stranger in my trial shop. At first, I thought this might be dummy data but, on emailing the person concerned (I could, alternatively, have rung her using the details EKM kindly provided) I discovered someone as shocked as me that her information was not as private or secure as she imagined.
Naturally, I contacted EKM’s support team but it’s now ten days later and the problem persists. I shan’t describe how to access these private details for obvious reasons but suffice it to say the only sensible response by EKM would have been to remove the trial functionality until the hole was patched.
Instead of that, EKM has prevaricated. Here’s the latest email from EKM’s support team, received yesterday, following a complaint by my surprised correspondent:
“When a demo shop is in use by a prospective customer, the system is design in such a way that it should not allow another demo shop user to log into it, until it resets overnight and wipes the shop data.
Unfortunately it looks as though in this instance, the system did allow another demo shop user to log into the shop after someone had been using it, and before the system had reset it, which then allowed you to view the details that they had entered into the backend of the demo shop.”
The use of the phrase “in this instance” implies a one-off and yet, since reporting the issue, I’ve repeatedly checked the site and, on each occasion, could have harvested the details of another poor unfortunate who made the mistake of trusting their data to EKMPowershop.
Note that the email talks about a “demo shop” whereas, on its site, EKM refers to this as a “free trial” – a completely different thing. Most people understand a demo shop to be just that, something that is open to all, demonstrating the main functionality of the back-end as well as the shop itself – and certainly not a place to be entering personal details.
A free trial, on the other hand, is usually a time-limited version of the real service – the usual form is to populate the trial with all your real data so you can decide whether to upgrade to the paid-for service. Because of this, trials must be private. EKMPowershop, in fact, goes out of its way to encourage you to populate your “free trial” with data – whilst at no point telling you that this data will be deleted overnight. If it looks like a free trial, says it’s a free trial and acts like a free trial, users are justified in thinking it’s not an open demo.
I don’t know how long this problem has existed for, or why EKM seem so confused about the purpose and function of its own trial. But I certainly don’t expect such a disinterested and complacent response from what is supposed to be a professional outfit.
For now, prospective online shop owners should sign up for the bona fide trial accounts offered by providers such as Volusion or BigCommerce – they at least seem to take the privacy of their users more seriously.