Response from ICO regarding plain text passwords

Dec 11th, 2013
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  3. 11 December 2013
  6. Case Reference Number *snip*
  9. Dear Mr Helme
  11. I am writing to you further to my correspondence of 22 November 2013 regarding your data protection complaint about Eat Commerce Limited (ECL), which operates the Subcard loyalty programme at Subway.
  13. When I last wrote to you, I explained that when we receive complaints, our obligation is to make an assessment. The assessment is the Information Commissioner’s view about whether an organisation has followed the rules of good practice for handling information in the Data Protection Act 1998 (the DPA).
  15. I also explained that our aim is to ensure that organisations deal with personal information properly in the future. Our assessment decisions can help us to decide whether we should take action against a particular organisation.
  17. Our assessment decision
  19. I wrote to ECL about this matter and have now received its response. On the basis of all of the information provided by you and ECL, we have decided that it is likely that ECL has complied with the requirements of the DPA in this case.
  21. This is because, in my view, ECL has met its obligations under the seventh data protection principle in this case.
  23. The seventh data protection principle states that an organisation should take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data.
  25. ECL says that its website uses Secure Sockets Layer (SSL) to protect personal data exchanged between ECL, Subway and its customers. ECL explains that all personal data is stored behind an Oracle Server-grade firewall. ECL says that if a customer is to gain access to their password, they must have access to the email address that they used to register with the Subcard programme. Moreover, I understand that access to the password database is limited by ECL’s employment/supplier contracts that manage the necessary permissions and liabilities.
  27. When an organisation considers the appropriate technical and organisational measures it should have in place to protect personal data, it should also take into the account the nature of the information which is to be protected and the harm which might result from any unauthorised or unlawful processing of personal data. It appears that ECL does not store any financial or sensitive personal data about its customers through the Subcard programme.
  29. From the information provided, it appears that ECL has appropriate technical and organisational measures in place to prevent the unauthorised or unlawful processing of Subcard users’ passwords. Therefore, it seems that ECL has met its obligations of the seventh data protection principle. Consequently, it is likely that ECL has complied with the requirements of the DPA in this case.
  31. ECL says that it is currently updating its password recovery system to the Forgotten Password Reset functionality. I understand that this will prevent customers from gaining access to any passwords provided to ECL, and instead they will only be able to reset their own password.
  33. As we have now made our assessment, the matter is now closed. Thank you for bringing it to our attention.
  35. Yours sincerely
  38. John Lees
  39. Case Officer
  40. Complaints Resolution (Group 2)
  41. Direct dial number *snip*
  43. ____________________________________________________________________
  46. The ICO’s mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  48. If you are not the intended recipient of this email (and any attachment), please inform the sender by return email and destroy all copies. Unauthorised access, use, disclosure, storage or copying is not permitted.
  49. Communication by internet email is not secure as messages can be intercepted and read by someone else. Therefore we strongly advise you not to email any information, which if disclosed to unrelated third parties would be likely to cause you distress. If you have an enquiry of this nature please provide a postal address to allow us to communicate with you in a more secure way. If you want us to respond by email you must realise that there can be no guarantee of privacy.
  50. Any email including its content may be monitored and used by the Information Commissioner's Office for reasons of security and for monitoring internal compliance with the office policy on staff use. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you write or forward is within the bounds of the law.
  51. The Information Commissioner's Office cannot guarantee that this message or any attachment is virus free or has not been intercepted and amended. You should perform your own virus checks.
  52. __________________________________________________________________
  54. Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  55. Tel: 0303 123 1113 Fax: 01625 524 510 Web:
RAW Paste Data Copied