Which? under fire over security scare

The Which? Online warning about its security blunder

By BBC News Online technology correspondent Mark Ward

The Consumers' Association (CA) has been sharply criticised by security experts for its blunder that exposed credit card details on the internet.

Although the CA acted quickly once it knew about the breach, experts said it simply should not have made the mistake in the first place.

Experts said that the web is now too mature for people to blame "teething troubles" for such errors.

The insecure site has been shut down and the Association is now conducting an independent audit to work out what went wrong.

Consumer caution

On Friday the Consumers' Association revealed that it had fallen short of its own standards by exposing consumers' credit card details on its TaxCalc website.

There's a danger that we are willing to accept that blunders are going to be made

Aled Miles, Symantec

Up to 2,700 people are thought to have been affected by the blunder and the CA is urging them all to cancel their cards to thwart anyone who has stolen the details.

The Association said it had commissioned an independent assessment of the TaxCalc website to find out what went wrong. The website will be shut down until the breach is fixed.

But experts said that the CA can offer no excuses for making such a public mistake.

"There's a danger that we are willing to accept that blunders are going to be made," said Aled Miles, UK managing director of security company Symantec. "This should not happen."

Mr Miles said people now knew enough about the best way to run websites to ensure confidential information is protected and get it right every day.

He said: "There are hundreds of websites that hold sensitive information and do so in a very secure way."

His comments were echoed by David Sear, chief executive of online cash company WorldPay.

He said: "It is not difficult and the technology is available, so we really should not see this happen in today's online trading community."

Mr Sear said he saw no reason why credit card details had to be stored by companies once a payment has been processed.

Stake your reputation

Now there are many schemes and certification bodies that oversee the security industry and try to ensure that best practice is employed and companies and consultants are doing a good job.

In recognition of the fact that web security can be easy to get wrong and hard to master, many companies are handing over the responsibility for it to external firms who do nothing but monitor networks for hack attempts, screen out computer viruses, and look for loopholes to close.

Nokia too has suffered a security lapse

Symantec's Aled Miles said that many companies are doing this because they have realised that trust in their good name takes a long time to build up, but can be destroyed or damaged with a single blunder.

Ironically the Consumers' Association is one of the organisations behind the Trust UK scheme which tries to encourage high standards among web firms.

It is only the latest in a long list of organisations that have put customers at risk through lax security.

Earlier this week Nokia admitted that a bug in the sign-up system for its Club Nokia website had allowed some members to see the details of other people.

At the same time US company ZixIt reported that a database holding details of customers' credit cards had been hacked. The company said it was still investigating and as yet did not know how many people were effected.

In one of the worst security breaches, online music maker CD Universe was hacked, exposing the credit card numbers of up to 350,000 customers.