ISP Emails Customer Database To Thousands

Barence writes "British ISP Demon Internet has mistakenly sent out a spreadsheet containing the personal details of more than 3,600 customers with one of its new ebills. The spreadsheet contains email addresses, telephone numbers and what appears to be usernames and passwords for the ebilling system. It was attached to an email explaining how to use the new system. Police forces and NHS trusts are among the email addresses listed in the database. A spokesman for Demon Internet confirmed that the company "was aware this happened this morning"."

Re:Free market will fix this

Storing user passwords unencrypted in an excel spreadsheet should be a crime.

Maybe it isn't. But I consider it to be a criminal level of negligence with significant public harm.

Someone had better lose their job.

[olsmeister]

Hard to believe that anyone in that type of position working for an ISP could be so careless. If anyone should know better, they should.
I'd be curious to know if the passwords that were lost are ISP-assigned gibberish passwords, or user selected ones.
If they are passwords selected by the users, look out. Too many people use the same passwords for many or all of their accounts.

Re:Free market will fix this

[icebike]

Having a company be able to SEE any user's password should be a crime. Standard practice is that NOBODY, not even sysadmins can see it. They can change it but not see it.

Re:Free market will fix this

[dbIII]

If even the computer knows the password somebody has made a hash of the job :)
It's not 1980 anymore and we have the hardware and software to make secure password handling with hashes instead of recorded passwords a very simple process, so that's the first link in this long chain of failure. That those doing the billing have access to the passwords show that there are a lot of links in this chain that should not be there.