Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISP Closes Webmail After Spammers Get Addresses

Posted by CowboyNeal on from the simplest-solutions dept.

An anonymous reader writes "Error prone British ISP PlusNet, who you might remember for accidentally deleting 700GB of customer's e-mail last year, have done it again with a major security gaffe. Their webmail service was compromised this week, and spammers got hold of customers' e-mail addresses who they've been happily spamming away ever since. They've since made the decision to close their webmail service, in the ultimate admission of incompetence for the now BT owned ISP. In an e-mail to their customers, Network director Phil Webb goes on to recommend that their customers install security software, along with telling them that they shouldn't call up to complain. One might suggest that they need to practice what they preach."

9 of 142 comments (clear)

  1. Waiter, Can I have the bill please? by jamesjw · · Score: 3, Insightful

    Honestly, if this happened to me, not only would I feel it my right to complain but to also seek out a new ISP.

    Nothing completely short of complete incompetence!

    --
    -- If at first you don't succeed, lie!
  2. They sent an email to their customers?! by Rik+Sweeney · · Score: 5, Insightful

    Their webmail service was compromised this week, and spammers got hold of customers' e-mail addresses who they've been happily spamming away ever since. They've since made the decision to close their webmail service, in the ultimate admission of incompetence for the now BT owned ISP. In an e-mail to their customers...

    It's unlikely they'll actually be able to read this email given the fact that they're now drowning in spam...

    --
    Summation 2
  3. Lost emails by SuperGT · · Score: 5, Insightful

    I always worry about this. I use my gmail account as a sort of backup, just in case my laptop decides to fail. And I also keep loads of emails there with important information I may need later. I treat it as my safety net, but what if this was to happen? I understand that google and this ISP are probably years apart (as far as security and technology), but it still makes you wonder. Now I feel like making a backup on a thumbdrive, saving it on a dvd-r, etc.

  4. units, people, watch your units. by mapkinase · · Score: 3, Insightful

    "700 Gb" does not seem much (divide by gmail box size and you get the number of 200 maxed out beefy gmail users), because it is an idiotic measure of stolen goods. "X raped whopping 500 women pounds", "Y stole 4500 banknotes from the bank", "Z trespassed 100 feet of my property".

    Reminds me of the Russian cartoon for kids, where different animals measure their sizes relative to the sizes of other animals, and in the end the Python says "I am much longer in Kakadoo than in Elephants".

    --
    I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
  5. Security software by Mostly+a+lurker · · Score: 3, Insightful

    Network director Phil Webb goes on to recommend that their customers install security software, along with telling them that they shouldn't call up to complain. One might suggest that they need to practice what they preach."
    A few comments:
    1. They almost certainly were using security software. The problem is that it is awfully difficult to judge effective security software from the much more common snake oil that is out there.
    2. There is a decent chance that the breach was not the fault of the security software but some kind of human error. They probably made the common mistake of assuming all they had to do was install firewall, intrusion detection and anti-malware tools and they were magically fully protected.
    3. This kind of event will probably become commonplace. There is a lot of money to be made, the crackers are technically more competent than much of the sysadmin community, and they only need to attack at the weakest points.
    1. Re:Security software by Serious+Poo · · Score: 2, Insightful

      No offense intended, but when you say "almost certainly", "there's a decent chance", and "will probably" that means that you don't really know and are making assumptions and/or generalizations. I'm not so forgiving in my view of this ISP's actions - it appears that they messed up big time. While I completely agree that there's a lot of FUD in the security marketplace these days, it's the responsibility of management to hire people who know this stuff cold. People who know that it's "People, Process, and Technology" - in that order. Any company that goes and implements Technology (i.e., a security product) without first considering People (e.g., training & hiring competent people) and Process elements (e.g., adequate supporting policies, procedures, security architectures, reviews/audits) is at considerable risk of failing by design. Companies that make money from processing/storing/selling/brokering people's sensitive information have a responsibility to safeguard their customer's data. This ISP appears to have failed in that regard.

      --
      "There is nothing more unequal than the equal treatment of unequal people." - Thomas Jefferson
  6. This is *not* a solution! by The+tECHIDNA · · Score: 2, Insightful
    From PlusNet's letter:
    In the meantime, if you use Webmail to check your PlusNet email from your own PC, you might find it more convenient to use an email program which runs on your PC instead.

    So let me get this straight: PlusNet's closing down the WebMail service, but leaves the main e-mail server running, so

    (1) the spam still comes in to the e-mail addresses
    (2) users now cannot access via their Internet Browser and must use an e-mail client which may not filter spam as well (or sometimes at all)

    Brilliant!
    Who's running this company -- Moe, Larry, or Curly?

  7. Data Protection Act? by Phil246 · · Score: 4, Insightful

    Customers of this ISP may want to check to see if they can take action against them under the data protection act.
    in particular, the sections:
    "Personal data should be securely kept, and not transferred to any other country without adequate protection."
    and
    "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

    ( http://en.wikipedia.org/wiki/Data_Protection_Act )

  8. Re:I'm one of the victims... by Anonymous Coward · · Score: 1, Insightful

    Sorry, by that logic I shouldn't blame my bank for leaving the door unlocked and the vault door open.. It would be the nasty thieves fault...

    I had done something, I haven't had a SPAM for five years on the main accounts and my daughter had never had an offer to enlarge an organ she doesn't have in all that time... Now she is getting five a day, as well infinte numbers of offers to download Photoshop...

    This was a web server application, it is NOT rocket science to lock the damned thing down, there are a fair number of tools for testing the locks, and if PlusNet don't know how to do that then they shouldn't be running an ISP.

    As I say, my family is being bombarded with SPAM and since it's PlusNet that screwed up and they have not apologised, then I am moving. Fool me once.... (When they lost my mail) now they've fooled me twice...