Hey, this time you "forgot" to mention that Hackersploit.org is an "underground forum" -burried under a runway in Heathrow (presumably). Good on you.

On a sidenote, BT would never lose customer data. They would sell it to the highest bidder (on underground forums maybe? Erm sorry)

"EU data protection rules are such that personal data should never be passed across"

what, you mean like the development database that was sent out to India for the outsourced DBA's to work on? You know, the one that was supposed to have been anonymised before being sent out.

What? What do you mean no-one anonymised it!? Fuck me, better not tell anyone then, especially as it was a DWP database.

AC: Coz they won't like that one being bandied about, no siree.

Had a little search round the internet using some of the hacked data as documented on www.hackersblog.org. Data appears to be live and not anonymous.

Hi,

How do you expect the hacker to know if it's a test or partner site? What is to differentiate them if they are on subdomains of the main domain x.telegraph.com or x.bt.com? They are more like sub-websites I'd say, rather than partner sites. There is usually no way of telling who controls them. Pretty convenient and easy excuse for companies, don't you think?

But returning to the issue at hand. First of all, send a few e-mails to the addresses disclosed in the original screenshots. See who those people are and if their personal information is accurate, before blatantly believing what a PR person says.

Quoting Rik Ferguson of Trend Micro: "According to an article on The Register, BT have stated that this intrusion only affected “a test database” and that “no customer details were released at any time“. Well I certainly don’t have any visibility of which systems or databases were compromised, but I can confirm, through my own research, that the information made visible through the compromise is real, valid and belongs to individuals not directly employed by British Telecom." Post here: http://countermeasures.trendmicro.eu/?p=146

Furthermore, the hacker disclosed a new vulnerability on BT.com, on a page that is cached in all search engines and unlikely to be a test site. He claims that this vulnerability grants him access to 37, not one, databases, full of personal information.

BTmay have world leading protection against unauthorised access, but they leaked loads of customers PII last October via their Beta forums, with loads of email addresses visible in the page source of their tag cloud, and the user profile pages - no hacking needed at all - just "view source". And all that information found its way onto Google and google cache. Easy to find, and easy to exploit.

I have it all on paper, copies of the google pages with the email addresses and user names, an ICO complaint reference number, the lot.

https://nodpi.org/forum/index.php?topic=304.30

10 pages of forum posts embarrassing to BT from beginning to end.

This weeks news is just a bit extra.

I'm afraid that statement from BT simply does not stack up with the hard facts of how BT actually function out here in the real world customers live in.

But what would I know? I'm just a customer. Never did get an apology either, they seem to be more interested in banning people from their BT customer forums than protecting their privacy.

Oh and they did it in 2000 too

http://www.theregister.co.uk/2000/04/27/btopenworld_security_glitch_reveals_thousands/

And they were warned about the potential for the 2008 leak, way back in October 2007, again by their helpful but much ignored, customers.

Do I sound bitter? Yes I do. Sorry.

... but i'm more inclined to believe a Rumanian hacker than I am inclined to believe BT.

How did we ever get to this?