M&S Jersey Customer Surveys

Customer feedback survey site collects personal data via an insecure web page


What is the problem?

Third-party hosted customer survey site collects personal info to allow shoppers to enter into a monthly prize draw. This company, InMoment, claims in their Privacy Policy that “The Sites (including, but not limited to: websites, surveys, reporting applications, and data transfer applications), have commercially reasonable security measures consistent with industry standards in place to protect against the loss, misuse and interception of information by third parties.”.

It is unclear how InMotion could arrive at the conclusion that their security measures follow industry standards. Protecting user data from interception in transit by using encryption is a basic precaution that is widely understood.

Disclosure Policy

Prior to public disclosure, notification about any privacy or security issues discovered were sent by email to the operator of this website on 4th August 2018, using either an email address publicly discoverable on the site, or the RFC 2142 standards compliant address "webmaster@..." if no public email address was provided.

At time of posting the issue had not yet been resolved.