There's always a need to need to perform one access of a system where you don't have full access to credentials (ie. an initial registration), but there's so many different ways to achieve it in the year 2009, for instance;
- verification against a challenge letter (yes, a real letter sent in the post)
- verification against a challenge sent by SMS to a registered mobile phone
- verification against a certification pad (like PINsentry), or software equivalent
- verification against a password registered on a website in response to an an email containing a link with a reference
Bottom line is that it is unforgivable that details are sent out in a fashion like this. This is not a High Street store enticing new customers with a loyalty scheme, it's an ISP that should know better. Back in the day they were a great ISP as well, full of technical competence and great on delivery.
I agree that Data Protection action should be taken against Demon so that a lesson is taught to all companies that employ incompetent fools to manage data of the masses. If they have to think before pressing the button, they might prevent shams like this.
Paris, because no password needed to access her backdoor.