A high profile case of personal data leaking onto Internet because of poor design of a web application just occurred in Poland. It is worth looking at, I think, as it shows clearly one problem with how many web applications are created today.

First a brief recap of the situation: one of major Polish banks – Bank Pekao, part of UniCredit group – started a hiring campaign. As part of that they hired a PR agency that also built them a special website – zainwestujwprzyszlosc.pl (“Invest in your future dot pl”) where candidates could submit resumes and cover letters. And submit they did – hundreds of them. Then one blogger noticed resumes submitted showing in Google results when he searched for his last name and found someone’s resume available for download. He checked the link and to his amazement found that under http://zainwestujwprzyszlosc.pl/files/0 you could find a listing of more than a thousand resumes and download them. Hundreds of files full of personal details and – as it is usually the case – people making fools of themselves in cover letters.

Following his blog post getting immensely popular the story was picked up by mainstream media, someone notified the authorities and the bank. By Monday the whole nicely designed site was replaced with a brief message posted in a hurry saying that the site is closed.

Now this classic story shows many things one could write about – for example total ignorance of media exploited by bank’s PR who said that this situation “was due to a hacker attack” when it was clearly a major design flaw. Or the fact that after the bank officially stated this and added that they closed the page and people’s data is now secure everyone could easily pull those files from Google’s cache. Or that – worse even – coupling of ignorance with arrogance when they accused the blogger and others of “stealing data”.

But I want to concentrate on the root cause of all this mess which I think is not treating web applications as serious software.

I reckon that all this happened because web is still treated as “pages” – not software. So everyone worries about how their sites are designed in terms of graphic beauty, not engineering. Consequently, building web sites is entrusted to “web designers” or “interactive agencies” or – even worse – PR firms (as in this case). Those well meaning companies or people are usually good at whatever their primary business is (graphic design, communication) but lack knowledge of software engineering.

In fact there are many people now who even claim to be “programmers” because they can build a “script” in PHP or even put things together with Ruby on Rails. This obviously doesn’t make them programmers – just like being able to replace oil in your car doesn’t make you an engine designer – but they still claim that to totally ignorant customers who, let me restate that, don’t treat their sites as software. Bank in question has – I’m sure – a very capable IT department, but I bet this website was ordered by someone from marketing or HR who never bothered to consult his own IT colleagues – because it is just “some pages”.

This approach might have been ok 8 years ago when few web sites were rarely anything more than pages + images. But by now it is hard to find such “pages” anymore – the web abounds with true applications. And applications means software – with all the things to consider “interactive agencies” never heard of like data models, database design, scalability and – yes – security!

But failing to recognize web applications for what they really are (software, getting more complex every year) companies hire wrong people or outsource to wrong teams. And then they have problems.

At Code Sprinters we take a totally different view. We don’t claim to do “pages”, we don’t call ourselves “interactive agency”, openly admit we suck at PR and are not good at graphic design. We are a software company specializing in delivering web applications and systems.

And that we take seriously. We hire only true software engineers, that is people who know what data model is, how database design works, what design patters are – and are trained (and mentally capable) to consider consequences given design will have for scalability and security. Work done by such people does cost more – not only because they are more expensive than “web designers” (which is not always true), but also because they put more work into building each web application – and that because they don’t skip building it to be secure, don’t skip building a suite of automated tests around it and do take care to write the code someone else will be able to read & extend in the future.

To be honest I won’t say we never ever have bugs in our applications – but major design flaws like in this case are simply not possible (leaving important files on a publicly accessible directory and feeding it to Google to index them is outrageously bad design). We would die of shame if anything this bad would ever be delivered by us.

The Peako incident shows clearly that is not wise to entrust building software to people who don’t have a clue about it. Pekao has just learned the hard way what the real cost of doing that is. Consider how much will this bank have to pay now all the people who will be smart enough to sue them for damages? Consider damage to their image and reputation. And take into account that under EU privacy protection laws they even face penalties from the government and are under investigation now.

Others should learn from this example. After all this is a huge bank and it will survive it – hiring is not their primary business and most of their clientele is not geeky enough to understand the problem. But think what would a blunder like this do to an HR company?

So, to sum it all up:

  • quality – and security – do cost,
  • web applications are software,
  • software should be built by people who are qualified to do it,
  • “interactive agencies” or “web designers” on average don’t have skills and experience to build complex software.

If you save on your web applications or hire wrong people to build it well – you’re in for trouble.