back to article Demon splurges details of 3,600 customers in billing email

Demon Internet sent thousands of business and government subscribers an email this morning telling them all about a new e-billing system, and tacked on details, including passwords, for 3,600 customers. The email - supposedly from Simon Blackburn Demon's director of customer service - has been sent to customers opting for e- …

COMMENTS

This topic is closed for new posts.

Page:

IT Angle

user names and passwords

"A spokeswoman for Demon said the company had changed the passwords which were sent out and was in the process of changing user names too"

What were they doing storing passwords in the clear in the first place. What were they doing emailing this document around the company.

0
0
Anonymous Coward

Errr...

If they've changed all their usernames and passwords.. how will they be able to read the email being sent ?

0
0
Bronze badge
FAIL

Looks like...

Someone might be looking for a new job then. With an attention to the minutae of data protection like that he should be able to have his pick of any number of govt. departments.

0
0
FAIL

Passwords in a .csv file?

In plain text as well presumably? Wow sounds really secure.

0
0
Anonymous Coward

Re: Errrrr

The usernames and passwords are for an online billing system for dsl and do not relate to services such as email.

0
0
Anonymous Coward

wut lol

how hard would it be to block mails to external address if documents attached

0
0
FAIL

LOL Maybe time to switch

I spent a hour of so with Demon tech support last night and basically told to wait 36 hours to see if my problem goes away......... Maybe this is a sign to swap providers.

0
0
Silver badge

Demon these days are a joke anyway

Back in the 90s when I joined them they were a small company that cared about their customers. Since they got taken over by Thus they've increasingly turned into a faceless organisation that couldn't give a rats arse about them. Their helpdesk is hosted in abroad and is a joke - half the "consultants" on it have a tough time telling your their own name in a recognisable language never mind solve your problem - whereas it used to be in southend staffed by technical types who had a clue, and their webpages ftp service seems to have an issue at least once a week. This cockup doesn't surprise me in the least.

0
0
FAIL

Poundhost

Similar to what Poundhost.com did the other day. See https://secure.grepular.com/blog/index.php/2009/09/21/poundhost-vs-rapidswitch/

0
0
Megaphone

Simply pathetic

You don't store cleartext passwords in the 19th century. Oh wait...

0
0
FAIL

Facepalm

Someone's going to be missing out on their Christmas bonus this year!

0
0
FAIL

Directors!

Directors should never be allowed near anything that important - like email or anything with sharp edges.

0
0
Silver badge
FAIL

Management fail 101

"Delores, come in here that pesky email program, it's made a mistake again."

0
0

Passwords

I received the email and attachments - my details were not in the CSV file - but my password was...allocated to someone else. Demon don't have much "luck" with e-billing, their first attempt had to be suspended because it did not work!

0
0

Passwords In Plain Text?

I agree with Doug - there is clearly something fundamentally broken if the passwords can be retrieved in this fashion at all, let alone posted out for all to see.

0
0
FAIL

"there was no evidence that ...

... anyone had logged in with someone else's details"

And that evidence would look like what?

www.duhmon.co.uk ....

0
0
Paris Hilton

WTF?

Are this guys for real?

This must a joke.

Paris, just because.

0
0
Anonymous Coward

...How?

They say that nobody has used the credentials to login to their users accounts; but how do they know? especially if they used and got authenticated by the details they sent surely that wouldn't raise any errors unless they had some big brother tracking on everything logging in!

0
0
FAIL

Security....

..They've heard of it.

0
0
Paris Hilton

Demon is so last century

The question isn't even why anyone is still with Demon: for some years now it has been why you're still with Nildram, to where you'd moved after the first mass migration away from Demon when Thus first got involved. As seems sadly inevitable, that bolthole went downhill too and it was time to abandon it in turn.

(Andrews & Arnold are lovely though)

Paris, because it's who Cliff would have chosen

0
0
Unhappy

Oh dear...

...and Demon used to be the good guys.

0
0
FAIL

Password

The 'passwords in plaintext' is a non-issue. The e-mail was about a new service, e-billing, which required a username and password to log in. It's a chicken and egg situation. You need a password to log in, you have no password so how do you log in. Ah, yes, the provider gives you a password, but it has to be in plain text.

This CSV file is just a data source for an e-mail merge that accidentally got attached to the e-mail itself. There's no reason to suppose the e-billing system stores passwords in plaintext.

So someone pressed the wrong button in Outlook. Stupid mistake. Easily fixed. Nothing to see. Move along now.

Skizz

0
0
FAIL

Passwords in plaintext

Although they shouldn't be stored in plaintext, most ISPs have a need to be able to retrieve a plaintext password. Why?

Well the one scenario I've definitely come across is when reporting an ADSL fault to BT, you need to submit the end user's connection username and password to BT in the fault report. You can't just change the password to something else, then submit that, as then you'd need to get the customer to change the password on their router.

So before people comment about passwords being available in plaintext, it might be nice if they looked at the operational reasons for it.

0
0
FAIL

Prosecute them...

This kind of thing is just going to keep happening unless and until some organisation is prosecuted under data protection legislation and fined the maximum amount possible. We keep being told how much identity fraud is costing the country, and how much police forces are spending to fight it. Demon's crime may be the result of carelessness, but it is a crime none the less and they should have to pay the penalty - Say £1000 per set of details, £360K should get thier attention...

0
0
Joke

Oops!

That's certainly a case of **** hit the email recall button.

0
0

I'm glad I am no longer with Demon

I was there for 12 years, first uding an Amiga A1200 for email, newsgroups (Thor) and the web (AWeb when you had to buy a browser)

I left last year because I got Joejobbed on my pseudo sub-domain, and got 75,000 emails on my account.

So minus a few marks for scanning incoming messages.

Then they couldn't release my email back to my control, and the only way to get a new Demon sub-domain was to pay for the privilege.

So I jumped. And I'd recommend others to as well

0
0
WTF?

Hmmm

"But the email also has a .csv attachment with 3,681 customer records on it. Entries include names, emails, telephone numbers"

Are the going to change everyone's telephone numbers too....

I hope they get screwed for this..

Too many people getting away with it.

0
0
Paris Hilton

@ Skizz & @ AC 12:14

@ Skizz -Have you EVER used an onlilne service before? Most (reputable ones anyway) allow you to enter your details, account number, address, dob etc and create your own username and password to avoid stupid mistakes like this and storing passwords in plain text.

@ AC 12:14 - That may be a valid reason for connection details (although I'm not sure it is, and I wonder how many end users know about this practice?) but this was not the same login. This was for a new billing system that Demon should have allowed their users to set up their own accounts for.

Simples.

Paris? Because she's pretty.

0
0

distributed how wide?

We know 3,681 sets of details, but would be interested to know to how many recipients?

0
0
FAIL

@ Denise H C

> I received the email and attachments - my details were not in

> the CSV file - but my password was...allocated to someone else.

Of course, it's not normally a problem if someone else has the same password as you, because neither of you would know.

OTOH, if Demon are re-using a limited number of passwords, that would be naughty (my lawyer advised me not to say "criminal").

0
0
Anonymous Coward

@ Jason 71

Jason 71: "Are the going to change everyone's telephone numbers too...."

Good point!!

Goodness only knows why such pathetic "toothless" data protection laws are allowed to continue.

0
0
Paris Hilton

@Skizz

There's always a need to need to perform one access of a system where you don't have full access to credentials (ie. an initial registration), but there's so many different ways to achieve it in the year 2009, for instance;

- verification against a challenge letter (yes, a real letter sent in the post)

- verification against a challenge sent by SMS to a registered mobile phone

- verification against a certification pad (like PINsentry), or software equivalent

- verification against a password registered on a website in response to an an email containing a link with a reference

Bottom line is that it is unforgivable that details are sent out in a fashion like this. This is not a High Street store enticing new customers with a loyalty scheme, it's an ISP that should know better. Back in the day they were a great ISP as well, full of technical competence and great on delivery.

I agree that Data Protection action should be taken against Demon so that a lesson is taught to all companies that employ incompetent fools to manage data of the masses. If they have to think before pressing the button, they might prevent shams like this.

Paris, because no password needed to access her backdoor.

0
0

@boltar

What boltar said.

0
0
FAIL

She said there was no evidence of anyone logging-in using someone else's details.

Reminds me of the old Thermos joke punch line: But how do he know?

0
0
Anonymous Coward

@Poundhost

I heard about that too.. Apparently someone then replied to all with a rather unsavoury picture too.

0
0
Thumb Down

Shocked but not surprised....

... since a few months ag they sent me someone elses Invoice details by mistake.

I'd like to get a hold of this CSV file to see if I'm on it or not.

0
0
Bronze badge

Demon

maybe for dial-up +10 years ago!

They hosted one of the best Quake II Lithium servers though ;-p, so credit for that.

0
0
FAIL

Re: Password

"So someone pressed the wrong button in Outlook. Stupid mistake. Easily fixed. Nothing to see. Move along now."

So to "mail-merge" in Outlook you first attach the source data to the message? Quite the fail in waiting, that is.

0
0
FAIL

Not the first time...

Quite some time ago, a Demon employee posted my personal details into an IRC chat room to "prove" he worked for them. I was furious. Has to be said, I am still a subscriber with multiple lines as, aside from this, they've always provided a great service.

0
0
Anonymous Coward

And another thing

Shouldn't passwords be bloody encrypted anyway? What the fuck are these people doing? They're supposed to be one of the UK's oldest ISPs, I assume they're now senile?

0
0
Flame

And I thought Public Sector only got it wrong..

Yeah you see, Private companies *can* get it as wrong as the Public Sector.

0
0
Grenade

Poor show, Demon.

If you were looking to impress government officials with your security record, you failed.

After all, anyone with credibility ensures customer data is truly out of control by leaving it on a train, or - better still - on a USB stick in a car park. Sending it by e-mail (half-points for not using encryption, though) only shows a lack of commitment.

Methinks they have much catching up to do, but I'll give them 6/10 for effort.

(if reader=American) /sarcasm (endif)

0
0
Paris Hilton

nothing to do with the recent takeover, honest.

It would take a more cruel person than I to mention that they were taken over by

Clueless and Witless because their accounts deparment has always sucked royally.

Paris, because she doesn't kiss and tell with customer details.

0
0
Grenade

Long time customer

Quite sad to witness the slow, inexorable decline of a great company, whose cost-cutting out-sourcing mania resulted in me becoming an ex-customer earlier this year.

Will no doubt be acquired at an enormous loss by somebody soon.

0
0

Demon

Sounds like I left Demon at the right time then...

Mike

0
0
Thumb Up

This is a good reason to not re-use passwords...

This sort of occurrence is way to common, unfortunately. Hopefully, in this case, Demon was simply sending out passwords they had generated, rather than passwords previously used by customers, because, as well all know, password re-use is horribly high.

You can see how this sort of thing would happen by a mail merge sort of activity, but it is also unfortunate that Demon isn't using technology that would have detected just this sort of accidental leakage and prevented it from occurring. Further to a previous poster's point, there are also great encryption solutions available that would allow them to send this information out without resorting to plain text emails.

Michael Argast, Security Analyst, Sophos

0
0
FAIL

Good Luck Crims

I've been with "A Tenner a Month" [Demon] for a while. A couple of years ago they tried to introduce e-billing for my account. It wasn't working properly then and still doesn't work for me yet.

I wonder if the Crims will have any more luck gaining access to my account than I have had?

0
0
WTF?

Demon passwords....

I'm sure that New Scotland Yard don't need a Demon account- users there will be {name}@met.police.uk. It may be someone who /wishes/ he worked for NSY. Probably lives with his mother.

0
0
FAIL

Demon don't know privacy

Today I phoned Demon to get them to check the access lists on a router they manage for my employer. All I gave them was the IP address of the router, and they told me everything I asked for. Didn't even give my name or company. More than a bit scary, and makes this story seem entirely expected.

0
0

bring back that old time punishment

A comma-separated file with cleartext names and passwords? Just HAVING that ANYWHERE means they need to spanked very hard. Actually sending it around means they need to the hung, drawn and quartered. What are these incompetent idiots doing in charge of anything more complicated than a swing set?

0
0

Page:

This topic is closed for new posts.

Forums