BT has dismissed the significance of supposed vulnerabilities on its systems detailed by infamous hacker Unu on Tuesday. The Romanian hacker posted screenshots illustrating what he claimed highlighted SQL injections in a posting at Hackersploit.org. "A faulty parameter, improperly sanitized opens the vault to the pretious (sic …
Off Shored Development
Lots of UK companies use off-shore developers these days. However, EU data protection rules are such that personal data should never be passed across.
"BT has developed rigorous, world-leading protection against unauthorised computer access in order to protect customer details and commercial interests" -- unless we are selling your info to Phorm!
... is a test system exposed to the outside world in the first place?
Hey, this time you "forgot" to mention that Hackersploit.org is an "underground forum" -burried under a runway in Heathrow (presumably). Good on you.
On a sidenote, BT would never lose customer data. They would sell it to the highest bidder (on underground forums maybe? Erm sorry)
Is BT lying?
Or is it sheer ignorance?
It may have been a test database...
...but the flaw is in the CODE. Presumably this code would go live at some point, if the flaw weren't discovered and then the injection attacks would apply to a LIVE database...
"EU data protection rules are such that personal data should never be passed across"
what, you mean like the development database that was sent out to India for the outsourced DBA's to work on? You know, the one that was supposed to have been anonymised before being sent out.
What? What do you mean no-one anonymised it!? Fuck me, better not tell anyone then, especially as it was a DWP database.
AC: Coz they won't like that one being bandied about, no siree.
BT hacked data as anonymous as a unique Phorm identifier?
Had a little search round the internet using some of the hacked data as documented on www.hackersblog.org. Data appears to be live and not anonymous.
How do you expect the hacker to know if it's a test or partner site? What is to differentiate them if they are on subdomains of the main domain x.telegraph.com or x.bt.com? They are more like sub-websites I'd say, rather than partner sites. There is usually no way of telling who controls them. Pretty convenient and easy excuse for companies, don't you think?
But returning to the issue at hand. First of all, send a few e-mails to the addresses disclosed in the original screenshots. See who those people are and if their personal information is accurate, before blatantly believing what a PR person says.
Quoting Rik Ferguson of Trend Micro: "According to an article on The Register, BT have stated that this intrusion only affected “a test database” and that “no customer details were released at any time“. Well I certainly don’t have any visibility of which systems or databases were compromised, but I can confirm, through my own research, that the information made visible through the compromise is real, valid and belongs to individuals not directly employed by British Telecom." Post here: http://countermeasures.trendmicro.eu/?p=146
Furthermore, the hacker disclosed a new vulnerability on BT.com, on a page that is cached in all search engines and unlikely to be a test site. He claims that this vulnerability grants him access to 37, not one, databases, full of personal information.
Are they lying?
Again? I just dont believe them any more.
Pull the other one BT, it's got PII on it
BTmay have world leading protection against unauthorised access, but they leaked loads of customers PII last October via their Beta forums, with loads of email addresses visible in the page source of their tag cloud, and the user profile pages - no hacking needed at all - just "view source". And all that information found its way onto Google and google cache. Easy to find, and easy to exploit.
I have it all on paper, copies of the google pages with the email addresses and user names, an ICO complaint reference number, the lot.
10 pages of forum posts embarrassing to BT from beginning to end.
This weeks news is just a bit extra.
I'm afraid that statement from BT simply does not stack up with the hard facts of how BT actually function out here in the real world customers live in.
But what would I know? I'm just a customer. Never did get an apology either, they seem to be more interested in banning people from their BT customer forums than protecting their privacy.
Oh and they did it in 2000 too
And they were warned about the potential for the 2008 leak, way back in October 2007, again by their helpful but much ignored, customers.
Do I sound bitter? Yes I do. Sorry.
It's a sad day ...
... but i'm more inclined to believe a Rumanian hacker than I am inclined to believe BT.
How did we ever get to this?