Slashdot Mirror
ISP Emails Customer Database To Thousands
Barence writes "British ISP Demon Internet has mistakenly sent out a spreadsheet containing the personal details of more than 3,600 customers with one of its new ebills. The spreadsheet contains email addresses, telephone numbers and what appears to be usernames and passwords for the ebilling system. It was attached to an email explaining how to use the new system. Police forces and NHS trusts are among the email addresses listed in the database. A spokesman for Demon Internet confirmed that the company "was aware this happened this morning"."
Demon Internet Yesman: Christ! We're getting murdered out there! ... if it was fucking October! And we're dealing with internet users here, not AOL USERS! Jesus, has anyone else got something better? ... ... ... I'm listening ... ... and now that the evil person tried to do something evil with that data, we have caught them and they are safely behind bars but if you're receiving this message you are not evil so you have nothing to worry about and only good people have your information.
Demon Internet CEO: Okay, okay, calm down. We've got a little issue on our hands here and we kinda need to sweep this little thing under the carpet. Now, you're not getting paid six figures to agree with me, what have you got?
Demon Internet Yesman: I've drafted an e-mail that explains to our customers that for Halloween we decided to be evil -- after all, we are Demon Internet? Huh? Huh?
Demon Internet CEO: Not bad, not bad
Demon Internet Yesman: I've got it! We tell them that we're trying to be transparent and an "open information" company because information wants to be free and so we sent everyone everyone's log on and contact information so they can
Demon Internet CEO: Did you just personify the noun 'information'? That's the stupidest fucking thing I've ever heard. Who are you? Pack your shit, you're fired. Next.
Demon Internet Yeswoman: *tentatively raises her had* Well, we could tell them that we suspected one of them was an evil dirty file sharer
Demon Internet CEO:
Demon Internet Yeswoman:
Demon Internet CEO: *nods slowly and approvingly* Yes, yes, that's good. We are law enforcers, we are providers, in their eyes we have done only good and now they fear and respect us and think they have escaped the sickle of justice. I like it. Sally, you're off of blow job duty. Frank, you're on blow job duty -- it's simple: my office every weekday at noon. Sally, I knew that equal opportunity employment shit that made me hire you was on to something. Okay folks, listen up, I want everyone in Great Britain to open their mouths 'cause I'm about to put my big fat cock in it.
My work here is dung.
Demon's going to have hell to pay.
Security through obscurity never helped anyone.
839*929
10 Bucks says it comes down to a cat on the keyboard.
I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!
Also "the company introduced a different ebilling system some months ago, but returned to paper billing following technical difficulties". Who hasn't managed to implement an ebilling system by 2009? Especially an ISP. They must be truly incompetent.
I run a movie theatre and send and receive a lot of freight (film cans and advertising materials) by bus. I have an account with the provincial bus company so they send me a bill once per month containing all of the waybills for that month.
This story goes back several years, as you will see.
Originally, I got a monthly bill that consisted of a strip of adding machine paper stapled to an invoice that totalled up my waybills for the month. Then the bus company decided to modernize and send out bills printed by computer, which were apparently aggregated by having a computer in each bus depot send in each days transactions by modem to a central computer that printed the monthly bills.
For the next year and a half, I got bills for anywhere from $10 to $30/month, nowhere near the $600-plus that I usually spent on bus freight.
18 months later I got a (manually generated) bill for $13,000.
The bus company has since stayed with manually generated bills and has never tried to computerize that part of their operation again.
If you're a zombie and you know it, bite your friend!
Storing user passwords unencrypted in an excel spreadsheet should be a crime.
Maybe it isn't. But I consider it to be a criminal level of negligence with significant public harm.
Demon wanted all customers to take up eBilling several years ago. You had to opt out of eBilling. I opted out because I wanted a printed invoice to give to the accountants and because I thought sooner or later so cockup like this would happen. My choice has been vindicated. And no, I won't be looking for another vendor. Demon are more expensive than other vendors, but other than the eBilling foulup, they are generally good and no bandwidth restrictions or upper limits at all. And that is what I want.
Hard to believe that anyone in that type of position working for an ISP could be so careless. If anyone should know better, they should.
I'd be curious to know if the passwords that were lost are ISP-assigned gibberish passwords, or user selected ones.
If they are passwords selected by the users, look out. Too many people use the same passwords for many or all of their accounts.
Their biggest competitor is BT ... Not quite seeing a stampede happening in that direction.
There's always Orange, I guess...
(...and to think that I bitch about Comcast...)
Quo usque tandem abutere, Nimbus, patientia nostra?
Having a company be able to SEE any user's password should be a crime. Standard practice is that NOBODY, not even sysadmins can see it. They can change it but not see it.
Sig Battery depleted. Reverting to safe mode.
I think that we should start putting ficticious information (something blob-like, like a customer name) into sensitive databases that matches one or more virus signatures. This would cause email filters to block the content before it leaves the premises. (Yes, I realize that we'd need to be filtering out-going mail, but unless you're a spam generator, that's a small fractgion of your incoming email. Some of use are already doing this, although not for this reason.)
Nothing for 6-digit uids?
Six months later, the Demon Internet CEO is replaced with the Fluffy Bunny CEO, after a sexual harassment lawsuit is filed by half of the board of directors. Fluffy Bunny commits to network neutrality, and cheap, high speed internet access for all. Demon Internet CEO seen a short while after the trial on the corner wearing black boy shorts and a bow tie as the newest strawberry in the unemployment line. Fluffy Bunny calls Sally into the office, makes her the new head network administrator, and she installs linux on everything, saving the company a fortune. And since this wouldn't be slashdot without some kind of sexual commentary -- Sally also sets up her own dungeon between several racks of blade servers, a webcam, and begins posting her payback sessions to fund some much-needed hardware upgrades. :P
The stories are funnier when they are fictitious, Sally.
Great, I just got an diabetes and an erection from reading your post.
"Too good to be true" says the empty bottle of Three Philosophers Quadruple sitting next to me.
My work here is dung.
I'm amazed that you never heard complaints. I was with them for 14 years, but left a few months ago, as their service deteriorated to a level that was completely intolerable. The original company was good, but was successively taken over several times, and all the competent people left. Have a look at the Usenet newsgroup demon.service and you will find plenty of complaints...
Yes some asshat will accidentally forward whatever. How this occurs is demonstrated by my example below (I witnessed this, details altered). I've see co-workers make this mistake, and I've been a customer when the same fault happend and I got sent a 700kb spreadsheet of confidental information. But anyway, here is the two step method to epic fail:
Step 1: Email staff with a template for them to send, and attach a spreadsheet of the customers
-----Original Message-----
From: Bob Smart [mailto: Bob.Smart@[-------].co.--]
Sent: Thursday, 23 September 2008 10:53
To: [-------] Outbound Contact Team
Subject: FW: eBill template
Hi Team,
Please send this template below to all customers in the attached spreadsheet. You three can divide the work amongst yourselves.
>
Dear customer-name-here,
[etc..]
Step 2: Your keyboard jockeys forward the email, deletes the header and Boss's message. Inserts customer details into template. Send, Boom, Done.
By default, forwarding in pretty much all mail applications keeps the attachment.
I'm sure this is the principal way documents are leaked from just about any organisation.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
I would love to see Demon crash and burn. The most horrible company to deal with. We run a lot of our customers email and domains. We used to buy the domains through demon, then one month they forgot to send us a renewal bill for one of our many domains. Instead of calling us or emailing us like a normal company to check why we hadn't paid they decided to suspend all of our domains for this one outstanding bill. We finally got the missing bill in the post a few days later, dated the same day that they suspended all of our accounts. Then the same things happened a second time a few weeks later. Obviously after the first time we asked them to double check that there where no more outstanding bills we hadn't received and they assured us that we were all up to date. Turned out they missed one of our accounts when they checked. Awful company to deal with in general, any DNS changes to a domain has to be done via fax on a letter with the company's header. Seriously? A large ISP like Demon cant make DNS changes over the phone/email or even have a management site online where the customer can change this? Of course they refused to give us our AuthInfo codes when we requested them. They said we could not get them for 6 months as we had just bought the domains. Turned out that when they "suspended" our domains they actually just canceled all of them and then put them through as a new orders to reactivate them. Finally got the AuthInfo code but had to put through the cancellation first which was scary to do as I had a feeling they were just going to cancel it and give us the AuthInfo code at the same time as they remove all our DNS records from their NS server. Luckily the move went through smoothly. Now with Zen and 1&1 which in comparison are top notch. All of this for a stupid outstanding amount of £12 renewal fee for 1 domain. Our customers ended up having 3 days of no emails or web services. Thank you and goodbye Demon!
I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!
While having it in an excel document is unexusable, there is a real reason why password are stored as plain text, and I hated it as a sysadmin. Look up CHAP vs PAP authentication... Basically, PAP sends the password in plain text across the wire from the modem server to the radius server, which can then look up the salt, hash it, and then verify the password.
However, since this means sending passwords in the clear, most modem concentrators (most ISP's resell for a handful of large telcos that operate the modems nowdays) prefer to use CHAP, which hashes the password with something at the terminal server and sends both to the radius server. In order for the radius server to authenticate the session, it must have access to the original plain text to hash with the provided salt. Thus, the ISP must store all passwords in plaintext somewhere.
That said, it should be stored in a hardened and dedicated server that only handles the storage (sql or ldap) and the radius server. Any billing interaction should only be to update the password, never to read. And it should never be put into a excel or word doc!
Unfortunately, that's not the case. CHAP authentication requires cleartext passwords to be stored. See my other post
If even the computer knows the password somebody has made a hash of the job :)
It's not 1980 anymore and we have the hardware and software to make secure password handling with hashes instead of recorded passwords a very simple process, so that's the first link in this long chain of failure. That those doing the billing have access to the passwords show that there are a lot of links in this chain that should not be there.