I recently bought a HP Ink Advantage 3545 All in One. It was purchased while HP was running an offer where in I can choose and redeem one of the available options. I have opted for a free black cartridge. While there are further formalities to be completed before hp can send me the free cartridge, I have received a mail today from hp with a link to redemptionsupport.com. I can go to this website and check the status of my claim.
I visited the website and I could view the claim status on the site after I entered the 7 digit code I received in the mail. No password is required, no captcha, no verification.
I then entered the next number(my code + 1, this does not belong to me). I could then view the claim status of some other person who registered/claimed after me. I tried the next number, next, next and next. I can see details of others easily.
What is the concern in this? Concern is, the details include the name, address, mobile number, email address apart from other details.
HP is letting the visitors see all these details of their customers without requiring any password. Of course, it needs a 7 digit code, but thats not difficult, I can enter a random 7 digit number and get details of some xyz person. It is a plain numeric code which I think is allotted in series.
What if someone sees a random persons details? HP should not display details like this without requiring a password. There are bots/spiders/scrapers which scrape the details like address/email/phone numbers from web-pages and build the databases of tele-marketers/spammers. Knowing the size of HP, imagine how many addresses these bots can get from HP’s redemptionsupport website.
This database of HP customers who try to redeem something will keep growing as HP keeps running one offer or the other. Using random numbers, I could see details of a customer who claimed the freebie more than an year back. This means HP does not remove the details even after the claim is fulfilled. There may be records even older than this.
The details also include the product, model, serial number, date of purchase etc.. This was not limited to printers, it included products like laptops too. I’m not sure if serial numbers also can be misused, but they were also displayed.
I hope HP realizes this and removes access to the customer records in such a way. To bring it to the notice of HP, this article has been tweeted to hp, hpindia, hpnews, hpsupport, hpprint and hpdeals . If you have a better idea of bringing it to their notice, please do.