With the recent earthquake tragedy in Christchurch I thought it best to add a few missing items to the family survival/disaster kit and I ordered some key components from the company Survive-it through their online store. Survive-it operate from Porirua. Despite the large number of orders they were receiving at the time they managed to send out my order quickly and efficiently.
I thought that this simple and straight-forward transaction would be my last dealing with Survive-it. At least until the next time I need to top up the kit.
Today I received an email from Survive-it. It was letting me know that they had built a new website. They indicated in their email that they could not transfer my information from the old website to the new website (including my password), so they had reset it to “surviveit-password”. This looked a bit funny to me. No, the password they provided me didn’t look like it was a randomly generated password to protect my account from unsavory types. Could it be that Survive-it had given every user they moved over the same password? Surely not!
In subsequent email communications with the Director Rod Hall from Survive-it, he told me that they could only bring over my email and physical address over to new system. However, What I found when logging in to the site with the password they provided, I could see everything from my previous account. I could see my full name, email address, postal address, phone number, and previous orders. I could see all the same details as I had before!
If what I believe has happened is true, Survive-it essentially changed everyones password to the same generic one and then emailed their entire customer base of the fact along with the password!
I sent several emails to Survive-it and received responses from Rod Hall. When I contacted Survive-it they did not deny the fact that they had given everyone the same password when they moved them to the new system.
When I asked about the information being moved to the new system and available under the above password, Rod Hall replied:
This information is currently publically available (phone books, electoral role etc), under the privacy laws of New Zealand, private information does not include publically available information such as name, address etc. We did not copy phone numbers, order details or any other personal information. We do not hold credit card or any other banking information on our websites (after an order has been processed), therefore no such information is known to us from the old website and is not held on the new website either.
I’m unsure of their reason to clarify their stance on the availability of the information when they claim they have not breached any laws.
Rod’s comments suggest to me that they believe there arn’t any limitations on the information because it’s all publicly available. Does that mean that it’s ok to link this information that would normally be found from several sources and potentially put it at risk with a weak and known password?
Its good to see that Survive-it does not hold credit card or banking information through their service. I know that some companies will hold credit card information to speed up processing for their customers, but i don’t really like the added risk attached (are you reading iTunes store people?).
If you are a Survive-it customer, perhaps you should consider contacting them and asking them what is going on. I see they have a pronounced “delete account” option on their website which I have now made use of. I will update this entry should any further information come to light. I invite anyone to make comment on this.
I have received a further email from Rod acknowledging my displeasure, but strongly adhering to the belief they have done no wrong.