Well...
At least their web site is performing better than their car...
*ducks*
A Grand Prix competition from Renault hit the barriers on Thursday after it emerged that the motoring firm was inadvertently leaking entrants' personal details onto the web. Renault UK are offering more than 600 pairs of tickets to attend either the practice, qualification or the actual race day of the British Grand Prix on 4 …
...if it's the same guy running their web team as a couple of years back. Renault UK wanted to build a purchasing page for it's members in association with our company. We had the meeting and discussed with them how to do it. After 2 months they decided they couldn't do it and gave us 1 week for our web developer to write it himself.
I notiiced a similar issue on the mailing list page of a well known UK sports team. If you go to edit your details, your member id is used as part of the url to your personal details page (www.team.com/edit?id=1234). Changing the id got you to another user's details.
I emailed them, they responded quickly, taking the page down short-term, and fixing it with a proper system within a few days.
You do have to wonder at the mentality of a "developer" who comes up with crap like that and implements it in a live site though. No doubt a simple download of demo code from an HTML For Dummies site, never intended as a secure solution, just a "how does a POST form work" example..