Is it risky to share your personal data by participating in online contests? This is what a young computer scientist from Quebec City wanted to verify after registering for a competition on the Couche-Tard company’s website. He discovered a flaw in the privacy protection of thousands of participants, which made available their phone numbers and information about their activities in the game.
Last July, Marc-Alexandre Paquet participated in the game Roche paper gifts of Couche-Tard. A data scientist, he takes the opportunity to test the security of personal information, such as telephone numbers, left on the company’s website.
In the space of six days, the program I wrote was able to pick up over 100,000 phone numbers, just for Quebec,” he says. I wanted to see if I was going to get blocked. I did not use any circumvention mechanism. Everything was starting from here [Editor’s note: from his residence]: IP address, a proxy, a VPN service, things like that.
Marc-Alexandre Paquet then hastened to alert the company by sending him e-mails where he clearly indicated that the contest had security flaws.
I thought, “I’m going to send them the information and I guess they’re either going to fix the bug or contact me to see exactly how the data breach was happening,” he says. I had no response from them.
We contacted the company, which initially assured that there were no safety issues. However, the competition site was closed as a precautionary measure.
Then after seeing an extract of data from its website, The company Couche-Tard found the flaw.
That said, we currently have no indication that data exfiltration occurred,” Couche-Tard spokeswoman Laurence Myre Leroux wrote in an email.
Marc-Alexandre Paquet says this is not an isolated case, as he has already observed other security problems at other sites.
Jeff Walker, head of cybersecurity at Best VPN Canada, a VPN security company, is not surprised by the discovery of the young computer scientist.
“It’s the kind of thing that happens a lot more often than you think,” he says.
We must not forget that these games are applications developed by human beings, he notes. Humans make mistakes. These errors can turn into bugs, which can be exploited as cybersecurity vulnerabilities.
<< This kind of data there can quickly become a turnkey system for fraudsters too, because it is personal information about people. Even if we don’t have all the data, we have enough data to potentially defraud someone. >>
He would also like to warn people who leave different personal information from one website to another: The information given online, even if it can be as insignificant, in quotation marks, as to participate in a contest, assume that it will leak one day.
Couche-Tard assures that there has been no leakage of information and says it is conducting thorough security analysis.
Cybersecurity is a concern for all large companies, her spokeswoman wrote. We would like to remind everyone to always exercise caution in their digital communications and to report any suspicious activity.