Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISP Emails Customer Database To Thousands

Posted by samzenpus on from the give-me-a-list dept.

Barence writes "British ISP Demon Internet has mistakenly sent out a spreadsheet containing the personal details of more than 3,600 customers with one of its new ebills. The spreadsheet contains email addresses, telephone numbers and what appears to be usernames and passwords for the ebilling system. It was attached to an email explaining how to use the new system. Police forces and NHS trusts are among the email addresses listed in the database. A spokesman for Demon Internet confirmed that the company "was aware this happened this morning"."

13 of 259 comments (clear)

  1. Free market will fix this by cryfreedomlove · · Score: 3, Insightful

    Is there a good alternative ISP available to the same customers. If so, then I would expect a stampede away from Demon ISP to their competitor. There is no need for government intervention.

    1. Re:Free market will fix this by Anonymous Coward · · Score: 5, Insightful

      Storing user passwords unencrypted in an excel spreadsheet should be a crime.

      Maybe it isn't. But I consider it to be a criminal level of negligence with significant public harm.

    2. Re:Free market will fix this by icebike · · Score: 5, Insightful

      Having a company be able to SEE any user's password should be a crime. Standard practice is that NOBODY, not even sysadmins can see it. They can change it but not see it.

      --
      Sig Battery depleted. Reverting to safe mode.
    3. Re:Free market will fix this by dbIII · · Score: 4, Insightful

      If even the computer knows the password somebody has made a hash of the job :)
      It's not 1980 anymore and we have the hardware and software to make secure password handling with hashes instead of recorded passwords a very simple process, so that's the first link in this long chain of failure. That those doing the billing have access to the passwords show that there are a lot of links in this chain that should not be there.

    4. Re:Free market will fix this by Anonymous Coward · · Score: 2, Insightful

      If even the computer knows the password somebody has made a hash of the job

      Of course you mean that if even the computer knows the password, somebody failed to make a hash of it. Good call though!

  2. One more reason... by popo · · Score: 2, Insightful

    ... that privacy 'policies' don't mean squat...

    --
    ------ The best brain training is now totally free : )
  3. To err is human... by Smidge207 · · Score: 1, Insightful

    Human error is understandable, but the fact that Demon seems to have very little internal security seems very disappointing.

    A spreadsheet with customers username and password should have been able to be distributed outside of the company system, I find it to be gross incompetence on the part of companies and organisations who have little or no internal document security system to prevent small breaches such as this.

    --
    Is it just my observation, or is eldavojohn an idiot?
  4. Someone had better lose their job. by olsmeister · · Score: 5, Insightful

    Hard to believe that anyone in that type of position working for an ISP could be so careless. If anyone should know better, they should.
    I'd be curious to know if the passwords that were lost are ISP-assigned gibberish passwords, or user selected ones.
    If they are passwords selected by the users, look out. Too many people use the same passwords for many or all of their accounts.

  5. Re:Who is to blame? by SlashDev · · Score: 2, Insightful

    or an overworked employee, who decided to take a nap, at their desk.

    --

    TOP DSLR Cameras Reviews of the top DSLRs
  6. Cleartext Passwords? Really? by algae · · Score: 2, Insightful

    The real WTF is that all those passwords were in the clear. What the hell business does anyone have these days, doing anything more than storing a one-way hash?

    --
    Causation can cause correlation
  7. Notice the words carefully... by freedom_india · · Score: 3, Insightful

    ...when a corporate is involved it always is a MISTAKE.
    When an individual hacker exposes weak security, he is a terrorist.
    Wow!
    Talk about double standards.
    Why can't the corporate be sued on SAME grounds like hackers?

    --
    "Doing what i can, with what i have." ~ Burt Gummer
  8. Re:Really! by Kalriath · · Score: 2, Insightful

    Credit Card info? That's a violation of PCI DSS right there along the lines of the great Web Hosting Talk fuck-up of last year. You can be fined millions for that.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  9. Re:My experience of the same thing... by 7+digits · · Score: 3, Insightful

    Snopes says it is true.

    I also like the idea of Wells Fargo sending this to customers:

    You owe your soul to the company store. Why not owe your home to Wells Fargo? An equity advantage loan can help you spend what would have been your children's inheritance.