Yesterday, The Register published an article detailing a scary story.

HolisticInfoSec.org found critical Cross Site Scripting (XSS) hacking vulnerabilities on Ameriprise Financial’s website.  The worst part is that they notified them of the issues, and were ignored for five months – leaving Ameriprise’s customer information vulnerable.   The article can be read in full here: http://www.theregister.co.uk/2009/08/20/ameriprise_website_vulnerabilities/.  The Consumerist (owned by Consumer Reports) also published an article about The Register’s story.

I find it a bit frustrating that any company within the financial industry would not be treating this type of vulnerability with the greatest of priority.

According to the article, Benjamin Pratt, VP of Public Communications, has stated that Ameriprise has addressed their web vulnerabilities.

“He said Ameriprise officials have no way of verifying that the bugs were reported as long ago as March, but in any event he said that there are no plans to review any of the mechanisms the company may have in place to receive notifications from the public about website vulnerabilities.”

Ameriprise customers have their finances in the hands of this company, yet the company downplays the importance of addressing website vulnerabilities, for whatever reason.

If your doctor downplayed the importance of avoiding cancer, you would be concerned, right?