Industry standards - Companies giving access to sensitive personal data (contracts, photos) on publicly accessible URLs.<p>I've recently come across the same issue twice, with major companies, so probably it has become a mainstream policy:<p>The first one, a multinational telco. I agreed to a new contract, which was published on a public URL for me to check and sign. The contract (which included my social security number, ID number, full name, date of birth, etc) was there for about a month; it was removed after I protested. I can't tell for how long it would be there.<p>The second one, an international enterprise: After I asked for my data stored on their systems (they give you the option, no special request) they send me a public URL also. It included my ID photos. They were there for 3 months, according to their policy. As an international company, they were much more cumbersome (rather unwilling) to remove them before the time their policy dictates; to be honest, I doubt if I spoke to any human being, probably they were all bots. I can't tell if my ID photos where publicly available after I asked my data or from the day I signed in.<p>Both companies answer was on the same basis: It's a URL which is not searchable (no results for these kind of URLs from internet search engines) so since I'm the only one who has it, I'm the only one capable of accessing it.
I consider this to NOT be secure. Like having something valuable on a public road, but it's a small road that no-one passes by; most probably, but not 100%, it won't be stolen.<p>So my questions for anybody in the IT security or audit industry,<p>- how is it possible for this policy to be acceptable from major companies?<p>- Can it really be considered safe, a public URL; just because it's long, no results returned from search engines, and send only to one person? Send by non-encrypted e-mail, so even if the rest of the chain would be secure, it could be breached through mail.<p>- If a malicious person (cracker, black hat hacker, whatever the terminology) or just a curious and very lucky person who tries many different URLs, access these data: Is there any way to persecute him/her? He did nothing unlawful, He just opened a public URL.<p>My question to hackers, have you managed to access such personal data on enterprises URLs? Is it really tough to traverse their sites to locate them?