back to article O2 notifies data cops 'for courtesy' ... AFTER El Reg intervenes in email phish dustup

O2 has denied that it's suffered a serious data breach after customers began receiving sophisticated phishing emails that appeared to have been sent by the mobile operator late last month. It was claimed by subscribers that the body of the email included their name, email address, and date of birth. The dodgy messages about …

  1. The Druid

    It's shocking that companies can take this attitude when a security breach is brought to their attention. Companies are now so afraid of the media scandal and backlash that follows, they would rather flatly deny that problems exist.

    A similar thing happened to me with Nectar, they insisted the details used in the e-mails I was receiving must have been guessed. Which, is highly unlikely.

    There should be a better mechanisms in place forcing companies to check or prove their security is appropriate and hasn't been breached. There are lots of IT professionals using services and are very quick to spot when something doesn't look right.

    I guess people need to take their custom elsewhere in order to make these dinosaurs listen.

    1. John H Woods Silver badge

      plus form addressing

      Although some companies incorrectly forbid it, it's worth using unique email addresses of the form username+companyname@emailprovider, e.g. jhwoods+O2@live.co.uk. The email turns up in the normal address box but you can still see the original address that was used and incorporate it in filters etc. If you start getting phishing emails with +companyname in the to: address, it's a pretty safe bet your details came from them.

      It's possible that smarter scammers will trim the +form, but in practice I've found it a useful technique to determine who is sharing emails. However, in this case, the presence of PUK codes (who else do you ever share those with?) is pretty much a slam dunk, isn't it?

      1. Simple Si

        Re: plus form addressing

        I agree with John, plus addressing certainly helps, but sadly there are a lot of websites that sadly prevent the + character being added in your email address when signing up due to poor input validation despite it being an acceptable character under email standards.

        Certainly helps determine who MAY have leaked/shared your email address.

      2. Anonymous Coward
        Anonymous Coward

        Re: plus form addressing

        One of the joys of having one's own domain is just that - I can use a unique email address prefix for each business I deal with. Only one has been compromised and they denied it, saying that it must have been my system that was to blame. Amazon UK, hang your head in shame. But it is interesting how a bunch of seemingly unrelated theatres and ticketing agencies whose privacy statements said they did not share data all started sending me offers ... ICO issue perhaps?

    2. Anonymous Coward
      Anonymous Coward

      William Hill too. I know they leaked my email address because I use a different one for each website I use. It's pretty unlikely spammers started guessing they should send email to williamhill@mydomain.

      Contact them repeatedly and they just skim the emails and send back a "we haven't leaked anything" email.

      1. JoshOvki

        Ah they could be being completely honest with "we haven't leaked anything", what you should have asked is "Did you sell my email address?"

      2. TheTick

        Had the same with William Hill, signed up with williamhill@mydomain, got spam addressed to williamhill@mydomain.

        Didn't report it, they are just on my never deal with again list.

        1. VinceH

          @TheTick and AC

          It's possible that William Hill didn't leak either of your addresses - don't be so quick to jump that particular gun.

          I do a similar thing - unique address @mydomain for almost every company, organisation or website to which an address is given (and I have a couple of domains registered for that purpose and that purpose alone). It used to be that I used theirname@mydomain, but I stopped doing that a couple of years ago (at least... might be a little more).

          I began seeing spam fit that format - addressed as whatevercompany@mydomain - and even accused the companies in question of springing a leak. Then I saw similarly addressed spam, but where the companies put before the @ weren't companies I'd ever used.

          My opinion is that some spammers are wise to this trick, and might now spew email out to (for example) williamhill@ every domain on their lists - hoping that's going to be a valid address in some cases, where the company has been used by someone who does what you do/I used to do, and in those cases might therefore even be whitelisted.

          I now create a less obvious unique address in each case - sort of like a serial number; I have a few guidelines, but I don't apply them consistently, so the results look more or less random. (If a spam comes in to one of those addresses, I'll know at a glance if its a real one of my addresses, then I just have to check through my records to see who I gave that address to - but as yet, there have been none.)

          1. Doctor Syntax Silver badge

            Re: @TheTick and AC

            "My opinion is that some spammers are wise to this trick, and might now spew email out to (for example) williamhill@ every domain on their lists"

            If that were the case everyone who runs their own domain would see this sort of thing happening. More likely is that spammers would only do that for domains where they find that sort of address. If they buy a list that has williamhill@somedomain on it then they'll also try, say, tesco@somedomain too.

            Personally I simply use a free mail address for anyone who I suspect might become a spammer. That way if NSA or GCHQ take a look at that inbox they'll get a load of Nigerian princes, urgent messages from the Outlook team and the occasional offer from Ticketmaster, all in the junk folder. Well, maybe not the urgent messages from the Outlook team as MS seem particularly adept at failing to recognise attempts to impersonate them; ISTM that it could be parleyed into evidence that they've abandoned some of their trademarks.

            1. VinceH

              Re: @TheTick and AC

              "If that were the case everyone who runs their own domain would see this sort of thing happening."

              Everyone who runs their own domain who...

              • Accepts all mail to the domain, or who is in a position to know what gets rejected;
              • And whose domain in question has been picked up by spammers.

              So, not everyone who runs their own domain, then.

              That doesn't necessarily mean you're wrong - just as your counter to my opinion doesn't mean I'm wrong.

              Either way, my approach avoids this particular problem - I might potentially still receive spam with addresses of that form, but I know it's not a leaked address.

    3. Evil Auditor Silver badge
      Devil

      Why do you believe that O2 leaked or sold the data? It's maybe part of their own business case to generate more profit...

      Then again, it's very likely that they leaked and sold, too.

  2. Flywheel

    I agree, but the problem is they're all just as bad as each other. Surely you've "done the rounds" of the mobile operators by now, only to find your choice is severely limited by mergers etc?

    1. SuccessCase

      O2 have gone seriously off the boil. It's clear now they have been in wrap up for merger mode.

      1. After getting a new business phone, and never within 2 days I was getting junk sales calls.

      2. O2 themselves have been spamming me. They force you to have to phone and go through a ridiculously convoluted telephone unsubscribe process to stop receiving spam from them, then they ignore it anyway. I have now phoned twice to unsubscribe and just today received more spam, wholly unrelated to my business account, from them.

  3. Blitterbug
    Flame

    Not surprised

    They will deny the sun rises in the east. After losing so many customer calls due to almost non-existent coverage in an area shown as 'covered' on their map, I threw my phone in a skip and got a PAYG jobbie from a different carrier. On the day my contract expired I phoned to cancel, and got in to an argument with the most arrogant retention guy I've ever dealt with (I think over the fact that I get 4 bars from a rival carrier who O2 refuse to share a mast with).

    1. This post has been deleted by its author

  4. Peter Galbavy
    Thumb Down

    ICO - A shower of useless sh**

    Anyone want to get the watchdog a pair of dentures?

  5. Longrod_von_Hugendong
    WTF?

    Just because YOU cannot find evidence...

    Doesn't mean it didn't happen. Occam's razor probably applies here. There is no way that information came from Burger King...

    O2 are being tossers about it, just fess up it probably did come from us and we cannot find how. Stand up and be man about it.

  6. Electron Shepherd

    Who says it's a breach

    Some time ago, we subscribed to a paid-for publication at the office, but (and it was a genuine mistake), we put the postcode down incorrectly on the application form. It was only one letter out, and right at the end, so it didn't stop postie from delivering it. What was interesting was how much other unsolicited mail we started receiving with the same mistake in the postcode.

    Maybe O2 just sold the data?

    1. Anonymous Coward
      Anonymous Coward

      Re: Who says it's a breach

      "Maybe O2 just sold the data?"

      Or swapped it for some reciprocal access with a third party ("you spam our customers, we'll spam yours"). Or they've used some tosspot third party emailer marketeer, that outfit have lost or sold the data, but haven't 'fessed up to O2.

      O2's greatest crime so far is their high handed denial in the face of apparently overwhelming evidence that there is a problem.

      1. Anonymous Coward
        Anonymous Coward

        Re: Who says it's a breach

        I strongly suspect O2 hasn't been hacked, but one of the companies they work with has had data go walking.

        I'd hope an advertising/marketing company wouldn't be being sent PUK codes for targeted campaigns so that should rule them out.

        On the other hand, the third-party call centres that ask if you want to renew your contract/upgrade/get a new phone probably get that information for "customer service". My experience of said call centres would suggest a high number of disgruntled employees and shoddy security.

        Finding which of the many call centre companies doing this work was responsible may be a little harder....

      2. king of foo

        Re: Who says it's a breach

        I agree, it sounds like a marketing company/contractor requested a dump of customer email addresses etc for use in campaign x.

        Request was passed to a new employee/someone with access to extract said data but neither knows nor cares about the security implications.

        Whatever "report" was compiled and forwarded evidently held more than just contact info. Whoever was meant to give the data a sense check obviously couldn't be arsed to read it and just forwarded on.

        Contractor/agency then shares data with someone else. I wouldn't be surprised if it was uploaded as a public google doc or something daft like that.

        This kind of thing is impossible to contain.

        As soon as data exists it's inherently insecure.

    2. GreggS

      Re: Who says it's a breach

      Either that, or a disgruntled member of the IT staff did!!

      Of course, some of this data is shared between networks & OFCOM, so who's to say that one of them couldn't be the source of the breach?

      Coming as it does with Three mulling over a takeover......

      Me, cynical?

    3. Doctor Syntax Silver badge

      Re: Who says it's a breach

      "Maybe O2 just sold the data?"

      PUKs included?

    4. Roo

      Re: Who says it's a breach

      "Maybe O2 just sold the data?"

      In practice the phone companies use third parties to do their surveys/advertising, there's a very good chance that one of their suppliers simply misappropriated the details O2 provided them with...

  7. Paul 87

    Judging from the number of texts and calls you get from different companies around contract renewal time, it wouldn't surprise me if all mobile opperators sell the commercial data to "trusted" third parties. Said "trusted" third parties then sell it on to other companies and eventually it reaches the hands of someone willing to sell it to scammers.

    Unfortunately there's fuck all you can do about it other than refuse to use the services and not provide the information in the first place. Companies are required by law in most places to maximise profits, and thus are compelled to sell your data if the opportunity arises.

    Makes me wonder if we shouldn't start organising a campaign to poison these data pools with false information and drive the value down. Register loads of changes of name, address details etc.

    1. frank ly

      "Companies are required by law in most places to maximise profits, ..."

      Are there actually any laws that say, "The company must be operated in such a way as to maximise profits , etc.." or do the laws say, "The directors must act in the best interests of the shareholders, etc".

      This isn't the first time that I've seen comments to the effect that companies are legally obliged to maximise their profits.

      1. Electron Shepherd

        There's no such law. Every company could generate more profit than is healthy in the short term, but at the expense of future profits, or even being in business next year.

        If it was actually illegal not to maximise annual profits, every company in the country would be in court.

        1. Anonymous Coward
          Anonymous Coward

          "There's no such law"

          Of course you are right. I did try to follow the paper trail on this urban myth once. It seems to go back to a 19th century Irish court case in which shareholders sued because the board were making donations they didn't like, a very different issue. And 19th century Ireland was hardly likely to be the shiny big apple of management science, in any case.

          Quite honestly, anybody who believes it can have their views on management ignored, as they have obviously never worked at boardroom level of even a small company. As soon as you start to think about market share, company longevity, R&D, and all of the other issues that hit managements day to day and year to year, it becomes obvious that "maximising profit" is meaningless.

      2. Alien8n

        Judging from some of the companies I've worked for it certainly is not a requirement to maximise profits. I recall one firm where the company's mission seemed to be to maximise the company's losses. I recall a figure of 25 million per quarter. Not helped by the purchasing attitude of "we need a laser testing machine" "how much?" "£750,000" "buy 2".

        All the time I was there both machines remained in storage and were never used.

      3. silent_count

        The specifics vary depending on which country you're in but a common thread is that directors of companies are required to 'promote the success' of their company. And how else does one measure success in a capitalist society?

        http://en.m.wikipedia.org/wiki/Directors%27_duties

        On an unrelated matter, O2 says that the phishers probably got customer details from the customer's computer (which the phishers had presumably compromised). This is nonsensical! If you've compromised someone's computer why would you bother sending them a phishing email?

        1. Gordon 10

          But that's a very different proposition to "maximise profits" which is what the OP massively incorrectly stated.

          In summary - OP posted cobblers.

    2. A Non e-mouse Silver badge

      Makes me wonder if we shouldn't start organising a campaign to poison these data pools with false information and drive the value down.

      If I see no reason why a website needs my personal info, I make it up. I usual offer:

      Mr. T. Blair, 10 Downing Street. London. SW1A 1AA

      DOB 1/1/1970

      Phone Number: 020 7946 1234

      1. Vic

        DOB 1/1/1970

        Hey! That's my birthday too!

        Yours,

        Mr. E. Poch.

    3. Chad H.

      " Companies are required by law in most places to maximise profits."

      I believe the correct phrase is "maximise shareholder value", not maximise profits.

      This is a very different thing, as the turn is user definable - Network Rail for instance is non-profit, it maximises shareholder value by putting earnings back into the railway network (its Shareholders being the Train Operating Companies).

      Another company might "maximise value" by turning away some business to build an aura of exclusivity - trading tangiable value (revenue) for an intangiable result (Branding).

      Some might play the short game (sell poor quality as quick as possible then skip town) where as others might play the long game (earn a little less now, but build long term loyalty).

      If the law was maximise profits, then companies would never be able to give to charity, and rarely be able to sponsor sports teams. You might consider the latter to be preferable though :p

      1. Peter2 Silver badge

        Re: " Companies are required by law in most places to maximise profits."

        s.172 CA 2006, "to promote the success of the company for the benefit of its members as a whole". It sets out six factors to which a director must have regards in fulfilling the duty to promote success. These are:

        -the likely consequences of any decision in the long term

        -the interests of the company’s employees

        -the need to foster the company’s business relationships with suppliers, customers and others

        -the impact of the company’s operations on the community and the environment

        -the desirability of the company maintaining a reputation for high standards of business conduct

        -the need to act fairly as between members of a company

        Conspicuously missing is a bit that says "you must produce the maximum financial profit". Or a bit where it says "you should act as a sociopathic knob persuing these objectives."

    4. Destroy All Monsters Silver badge
      Thumb Down

      Companies are required by law in most places to maximise profits

      LOLNO.

      Maybe in Zimbabwe.

  8. Kevin Johnston

    @silent_count...

    .......This is nonsensical! If you've compromised someone's computer why would you bother sending them a phishing email?......

    A very clear and simple rebuttal of the O2 response

    1. Doctor Syntax Silver badge

      "A very clear and simple rebuttal of the O2 response"

      True. An even clearer one is "how would the customer's computer have the PUK on it?".

  9. This post has been deleted by its author

  10. cantankerous swineherd

    corrupt insider making some cash?

    1. Anonymous Coward
      Anonymous Coward

      @cantankerous swineherd

      I agree. Years ago I used to be resell Demon Internet packages as part of their reseller scheme and I used complete Demon Internet reseller forms in a certain way so that they read something like MY CLIENTS NAME, C/O MY COMPANY NAME, MY COMPANY ADDRESS, so that when Demon sent me invoices I knew exactly which client it relates to. Anyway one day I received around 100 of those AOL CD's that used were abundant in the 90's when the internet boom happened and all of the address labels on those AOL CD's read exactly the same as my Demon Internet reseller form addresses. When I contacted Demon about this they flatly denied any link between the two but I pushed and pushed further until they investigated the matter and found that an employee had stolen and sold of a database of customer details. Unfortunately I think this is more common then most companies would like to admit.

      1. Mark 85

        Re: @cantankerous swineherd

        I believe that this is very common. From what I've seen, 99% of the time it's not some IT person but an admin or just someone who, with a little digging, can get the addy's from email lists, etc. Usually, the only punishment is firing.

  11. Tubz Silver badge
    Alert

    Weird

    After receiving very little spam in my VM inbox in 10 years, now getting a fair few and with a lot of detailed information.

    Coincidence or a coordinated spam fest ?

  12. Anonymous Coward
    Anonymous Coward

    I have been using addresses of the form 20150204theregister.co.uk@mydomain.com for 15 years now. This allows me to pinpoint individual data submissions which are subsequently sold/leaked the and the company/site which broke the law by failing to protect my personal data.

    Truth be told, instances of such have been rare.

    Four failures I have noticed were...

    1) social networking site asmallworld seems to have divulged then member's details to criminal spammers in India by saving the member database in plaintext onto a compromised Windows laptop. Asmallworld's proprietors denied the leak until I showed that spam was being spoofed from members, not just to members, and then they went quiet.

    2) British Airways divulged my details to Easyjet (or vice versa, can't remember which) which I hope was a result of industrial espionage.

    3) a firm called Lands Tek gave my address to every spammer on Earth.

    4) no2id, the campaigner against ID cards, managed to keep my address secret for about seven years before divulging it to spammers. Due to the acute irony I complained and received the standard denial from a non-technical person.

    Considering that I have supplied thousands of tainted addresses, I'm impressed so far by good general record of security, but when breaches occur, the denial response is normally very stupid.

    1. Anonymous Coward
      Anonymous Coward

      Can I add the BBC to the list of email sellers??

      This is fairly ancient, but back in the early nouties, the BBC were running a competition for under 12's.

      My son (age 6 at the time), entered using my email and home address

      THE ONE AND ONLY TIME THE TWO HAVE BEEN LINKED WITH HIS NAME.

      (He lived with his mother).

      Within weeks I started getting spam email and waste paper through the letterbox in his name - offering him credit cards, test drives of new sports cars etc.

  13. Anonymous Coward
    Anonymous Coward

    Agents

    Forgive me if this has already been mentioned (I can't read all the comments in work time).

    We deal with Mobile companies through agents, obviously they seem to have acces to all the data they need in order to do their job, if an agent was compromised I wonder if that could allow data scraping to this degree? Technically O2 could deny a breach as it could be some third party normal access.

    I wonder it is worth seeding the forum with the question, "who do you deal with for your contracts?"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like