Slashdot Mirror
ISP Emails Customer Database To Thousands
Barence writes "British ISP Demon Internet has mistakenly sent out a spreadsheet containing the personal details of more than 3,600 customers with one of its new ebills. The spreadsheet contains email addresses, telephone numbers and what appears to be usernames and passwords for the ebilling system. It was attached to an email explaining how to use the new system. Police forces and NHS trusts are among the email addresses listed in the database. A spokesman for Demon Internet confirmed that the company "was aware this happened this morning"."
Demon Internet Yesman: Christ! We're getting murdered out there! ... if it was fucking October! And we're dealing with internet users here, not AOL USERS! Jesus, has anyone else got something better? ... ... ... I'm listening ... ... and now that the evil person tried to do something evil with that data, we have caught them and they are safely behind bars but if you're receiving this message you are not evil so you have nothing to worry about and only good people have your information.
Demon Internet CEO: Okay, okay, calm down. We've got a little issue on our hands here and we kinda need to sweep this little thing under the carpet. Now, you're not getting paid six figures to agree with me, what have you got?
Demon Internet Yesman: I've drafted an e-mail that explains to our customers that for Halloween we decided to be evil -- after all, we are Demon Internet? Huh? Huh?
Demon Internet CEO: Not bad, not bad
Demon Internet Yesman: I've got it! We tell them that we're trying to be transparent and an "open information" company because information wants to be free and so we sent everyone everyone's log on and contact information so they can
Demon Internet CEO: Did you just personify the noun 'information'? That's the stupidest fucking thing I've ever heard. Who are you? Pack your shit, you're fired. Next.
Demon Internet Yeswoman: *tentatively raises her had* Well, we could tell them that we suspected one of them was an evil dirty file sharer
Demon Internet CEO:
Demon Internet Yeswoman:
Demon Internet CEO: *nods slowly and approvingly* Yes, yes, that's good. We are law enforcers, we are providers, in their eyes we have done only good and now they fear and respect us and think they have escaped the sickle of justice. I like it. Sally, you're off of blow job duty. Frank, you're on blow job duty -- it's simple: my office every weekday at noon. Sally, I knew that equal opportunity employment shit that made me hire you was on to something. Okay folks, listen up, I want everyone in Great Britain to open their mouths 'cause I'm about to put my big fat cock in it.
My work here is dung.
Security through obscurity never helped anyone.
839*929
I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!
Also "the company introduced a different ebilling system some months ago, but returned to paper billing following technical difficulties". Who hasn't managed to implement an ebilling system by 2009? Especially an ISP. They must be truly incompetent.
I run a movie theatre and send and receive a lot of freight (film cans and advertising materials) by bus. I have an account with the provincial bus company so they send me a bill once per month containing all of the waybills for that month.
This story goes back several years, as you will see.
Originally, I got a monthly bill that consisted of a strip of adding machine paper stapled to an invoice that totalled up my waybills for the month. Then the bus company decided to modernize and send out bills printed by computer, which were apparently aggregated by having a computer in each bus depot send in each days transactions by modem to a central computer that printed the monthly bills.
For the next year and a half, I got bills for anywhere from $10 to $30/month, nowhere near the $600-plus that I usually spent on bus freight.
18 months later I got a (manually generated) bill for $13,000.
The bus company has since stayed with manually generated bills and has never tried to computerize that part of their operation again.
If you're a zombie and you know it, bite your friend!
Storing user passwords unencrypted in an excel spreadsheet should be a crime.
Maybe it isn't. But I consider it to be a criminal level of negligence with significant public harm.
Hard to believe that anyone in that type of position working for an ISP could be so careless. If anyone should know better, they should.
I'd be curious to know if the passwords that were lost are ISP-assigned gibberish passwords, or user selected ones.
If they are passwords selected by the users, look out. Too many people use the same passwords for many or all of their accounts.
Their biggest competitor is BT ... Not quite seeing a stampede happening in that direction.
There's always Orange, I guess...
(...and to think that I bitch about Comcast...)
Quo usque tandem abutere, Nimbus, patientia nostra?
Having a company be able to SEE any user's password should be a crime. Standard practice is that NOBODY, not even sysadmins can see it. They can change it but not see it.
Sig Battery depleted. Reverting to safe mode.
Six months later, the Demon Internet CEO is replaced with the Fluffy Bunny CEO, after a sexual harassment lawsuit is filed by half of the board of directors. Fluffy Bunny commits to network neutrality, and cheap, high speed internet access for all. Demon Internet CEO seen a short while after the trial on the corner wearing black boy shorts and a bow tie as the newest strawberry in the unemployment line. Fluffy Bunny calls Sally into the office, makes her the new head network administrator, and she installs linux on everything, saving the company a fortune. And since this wouldn't be slashdot without some kind of sexual commentary -- Sally also sets up her own dungeon between several racks of blade servers, a webcam, and begins posting her payback sessions to fund some much-needed hardware upgrades. :P
The stories are funnier when they are fictitious, Sally.
Great, I just got an diabetes and an erection from reading your post.
"Too good to be true" says the empty bottle of Three Philosophers Quadruple sitting next to me.
My work here is dung.
I ROFLd very hard at this. Now who hasn't heard of something like this happening or been in a work place where this has happend? Of all the security measures companies fret over these days they fail to recognise the threat of abject stupidity.
Many moons ago, I was told a tale about sending out mass mailings, not this "slip of the mouse" email stuff.
The bank's marketing and finance guys have come up with this glossy brochure of stuff for their top customers, based on something like highest 5% balance holders. There's a letter drafted to accompany the brochure, it just remains to do the little personalising touches for the final run.
Someone forgets to replace the output placeholder with the salutation generation program that'll even spew out "Dear Sir Whimsey-Porpoise".
The final letters are printed, enveloped, and mailed. The salutation from the placeholder piece of code? "Dear Rich Bastard,".
Where's the Kaboom?
There's supposed to be an Earth-shattering Kaboom.