I have found a publicly accessible web page which discloses person-related data when queried with matching input data. This is against the company's own data protection promise. I want to report responsibly with a proper description and categorization of the problem.
The data required as input is:
- The customer number like xxx-xxx-xxx-x (10 number digits where 1 is probably a checksum)
- The ZIP code in four digits as "security element" (which is about 4000 really existing numbers)
The data provided on match between Customer ID and ZIP:
- Full Name
- Birthday
- Residential address
- Landline or Mobile Phone number (if provided by customer)
Their intent on providing this data is to support a purchase to the intended person, when you want to buy as a gift.
How to categorize this problem?
Is there a proper CWE number for it? Probably CWE 213? Or is there another standardized categorization system?
Note: Both me and the company in question is located in Switzerland (which is not part of the European Union). I am not sure how legally binding the EU GDPR is here.