1. You call yourself “Carrefour“, you put up a marketing campaign and ask your customers to fill in a form where one of the fields is the Numerical Personal Code. Of course, you are not registered as a company who deals with private data (according to ANSPDCP‘s website). There are a lot of people out there that give their personal information just to get 10$.  I really wonder if it was to give their credit card info and PIN, would they really give it?

2. What about if you are a bank? Or a customer of a bank? Theoretically your private details like bank account, CNP, address, etc should be safe. Well…that’s the theory. There is one bank out there (you’ll discover the name below) that allows you to find protected info about any of its customers. Let’s say you have an i-banking account with them and you get the IBAN account of one of their customers. As soon as you try to make a money transfer to that person, you will get that person’s name. What’s wrong with that you will say. Well, you can just play around with the IBAN account and discover other valid accounts along with the holder’s name. Ok, I agree, maybe that’s not a serious security problem. Once you continue with the money transfer, you can see more: in the details of the transfer you also get the CNP of that someone. And yes, the bank is registered as a private company who deals with confidential data and obeys the law. Right!

See a demo for yourself. I have blurred some details, but that’s the only edit on the video.

A few months ago I was googleing a friend’s name in order to find his email address. While searching I got to a website which showed his address and telephone number. I was pretty surprised to see that and since the website had a search engine, I started to look for different persons – for some I got results. This was looking more and more interesting. I notice that there was also possible to create a test account with some free credits and with more search results. After waiting a day or so I finally got my account. Now the information I could find was astonishing. Not only I got the address and the phone, but also the Numerical Personal Code, what bank loans did they have (if any), how much they got ad so on.

As you can see all the information is there. For privacy reasons I have hidden the data. But from where such a website could get all that information? Is there someone freely submitting the information? The response came quickly:

I was WOW-ed. So our own government is publishing all these information to the public? What about data protection? What about privacy? It was kind of hard to believe, but after searching some published papers by the Romanian’s Official Journal I convinced myself of the reality.

After accessing the official published paper I could also find: address, the date when the ID card was issued, the issuer name, ID number, Numerical Personal Code. If this is published freely by the government, then what else could I ask to a private company? Luckily, I knew that there is also an agency which is taking care of such issues – ANSPDCP (hard to translate ). However, how could I contact the agency (which is controlled by the government) and ask them to remove such information?

All that Vrajitorul website does is to get this information and structure it in a way that you can easily find. BUT there is hope. In case your personal identification info is somewhere on a website, you can contact the owner of the website and kindly ask to remove all this information as they are breaking the personal data protection law and in case they will not do so, you will contact the ANSPDCP agency. My friend did this and all the data that the website had about him was removed the next day. I strongly suggest you to do the same.

Comments? Next time I’ll write about some private companies (including a bank) which have problems in protecting sensitive information about their customers.