Off Shored Development
Lots of UK companies use off-shore developers these days. However, EU data protection rules are such that personal data should never be passed across.
BT has dismissed the significance of supposed vulnerabilities on its systems detailed by infamous hacker Unu on Tuesday. The Romanian hacker posted screenshots illustrating what he claimed highlighted SQL injections in a posting at Hackersploit.org. "A faulty parameter, improperly sanitized opens the vault to the pretious ( …
"EU data protection rules are such that personal data should never be passed across"
what, you mean like the development database that was sent out to India for the outsourced DBA's to work on? You know, the one that was supposed to have been anonymised before being sent out.
What? What do you mean no-one anonymised it!? Fuck me, better not tell anyone then, especially as it was a DWP database.
AC: Coz they won't like that one being bandied about, no siree.
Hi,
How do you expect the hacker to know if it's a test or partner site? What is to differentiate them if they are on subdomains of the main domain x.telegraph.com or x.bt.com? They are more like sub-websites I'd say, rather than partner sites. There is usually no way of telling who controls them. Pretty convenient and easy excuse for companies, don't you think?
But returning to the issue at hand. First of all, send a few e-mails to the addresses disclosed in the original screenshots. See who those people are and if their personal information is accurate, before blatantly believing what a PR person says.
Quoting Rik Ferguson of Trend Micro: "According to an article on The Register, BT have stated that this intrusion only affected “a test database” and that “no customer details were released at any time“. Well I certainly don’t have any visibility of which systems or databases were compromised, but I can confirm, through my own research, that the information made visible through the compromise is real, valid and belongs to individuals not directly employed by British Telecom." Post here: http://countermeasures.trendmicro.eu/?p=146
Furthermore, the hacker disclosed a new vulnerability on BT.com, on a page that is cached in all search engines and unlikely to be a test site. He claims that this vulnerability grants him access to 37, not one, databases, full of personal information.
BTmay have world leading protection against unauthorised access, but they leaked loads of customers PII last October via their Beta forums, with loads of email addresses visible in the page source of their tag cloud, and the user profile pages - no hacking needed at all - just "view source". And all that information found its way onto Google and google cache. Easy to find, and easy to exploit.
I have it all on paper, copies of the google pages with the email addresses and user names, an ICO complaint reference number, the lot.
https://nodpi.org/forum/index.php?topic=304.30
10 pages of forum posts embarrassing to BT from beginning to end.
This weeks news is just a bit extra.
I'm afraid that statement from BT simply does not stack up with the hard facts of how BT actually function out here in the real world customers live in.
But what would I know? I'm just a customer. Never did get an apology either, they seem to be more interested in banning people from their BT customer forums than protecting their privacy.
Oh and they did it in 2000 too
http://www.theregister.co.uk/2000/04/27/btopenworld_security_glitch_reveals_thousands/
And they were warned about the potential for the 2008 leak, way back in October 2007, again by their helpful but much ignored, customers.
Do I sound bitter? Yes I do. Sorry.