South African grilled chicken restaurant chain, Nando's, has confirmed that its Firestarters fan campaign website was leaking the personal data of any of its fans who completed the online survey. The privacy concern with the Nando's website was first highlighted by Jarn Athern on Twitter who had received what he called an uncomfortable WhatsApp message from someone who said they got his details via the Nando's Firestarters website.
The Firestarters campaign website was started by Nando's in 2013 as an online Nado's fan community where fans stood a chance to win various prizes after completing an online survey.
"Our investigation is looking into how one old page was cached, we have already requested that Google remove any cached pages, and will confirm once we are clear this has taken place. Nando’s would like to assure all its Firestarters that their personal details and data is secure, and we will provide ongoing updates as our investigation progresses."
What actually happened?
What seems to have happened is that Nando's appear to be using a solution provided by an American company called Vision Critical. Vision Critical is used by some of the world's most renowned brands and companies for collecting customer feedback and data. As it says on its website, it helps companies "get feedback to make data-driven decisions in hours rather than days or weeks to keep up with the pace of your business needs and product innovation cycles."
What happened was that once a person completed a survey on the Nando's Firestarters website, they would have a link to their completed survey and some would post their links on social media thus also leading to those survey results pages being indexed by Google and as such easy to find when using Google Search.
This same problem was able to be replicated by Darryn VD Walt who posted on Twitter that NASCAR was running the same Vision Critical solution and was leaking user data. It's important to however note that mot all of the companies using Vision Critical's solution are affected by this leaking of user data and it seems (yet to be confirmed) that it has to do with some settings.
Following the data leak revelation, Nando's issued a statement, part of which yo can read below. What is concerning though about Nando's statement is that it says that sharing of survey links is prohibited by its Terms & Conditions, this suggests that the company knew of the implications and thus took no precautions.
Nando's has since disabled the Firestarters website while NASCAR survey website was still up and running at the time of publishing.
Nando’s South Africa would like to clarify the latest news around a claimed data breach circulated in the media today. Facts to date:·
- A link to a private Nando’s Firestarters survey was shared on Twitter in 2014.
- The details of the page shared resurfaced as a data breach.
- Nando’s would like to clarify that this is not a data breach, and is instead a circulation of a cached (temporarily stored) page.
- This private link was shared, despite this action being against our T’s and C’s – we have reached out to the customer, and understand that this was not intentional.
- As soon as the Nando’s team were notified of this circulation, we launched an investigation and can confirm that no further user data is at risk.