Re: You brought up an interesting point
Should file a complaint with the ICO under GDPR. Company can only keep data for as long as necessary - Account was cancelled 8 years and no reason to keep email going. Clear violation.
TalkTalk has refused to delete a former customer's email address which was taken over by spammers – because the unfortunate person cancelled their contract eight years ago. The customer, Joanne, was contacted by her friends after they started receiving spam from an old email address of hers. After digging out the account …
"Wonder why El Reg didn't pass the details directly to ICO, instead of TalkTalk? Also, how many other people have still active email accounts on TalkTalk?"
Because sadly it's quicker in this day and age to get a company to act if you're able to publish a story about them, than hand the issue to a third party who may take fucking ages to get a lesser result.
sadly it's quicker in this day and age to get a company to act if you're able to publish a story about them
Agreed. I'm always depressed when individuals who've been screwed over by megacorps get justice after a major (okay, El Reg in this case, so not so major) news outlet gets involved - because I think of the hundreds or thousands in the same situation who didn't get their stories published.
Because regrettably the ICO requires that people attempt to complain to the data controller first (which I am sure will end well if the data controller is in any way lax or dodgy to start with), before actually bothering to look into any concerns themself. Given how hard it is to awaken the ICO to take action, the well tested journalistic technique of name and shame tends to have more effect.
That address book is private, personal data.
She's reporting a compromise of that private, personal data.
I can understand TalkTalk not *providing* that data to her until she proves who she is, but if she's notifying them of a compromise of an account that should have closed and deleted her data years ago, then there's a big problem on TalkTalk's end.
Not to mention, she's reporting an account for sending spam and malware - surely whether it's her own account or not, they should be shutting it down?
Talk Talk Failures
NO DMARC policy
insecure RC4-SHA cipher suite
hash algorithm that is not secure on the certificate
Their website has :
NO X-Content-Type value
NO Content-Security-Policy (CSP)
Does not offer Referrer-Policy
Does not offer an HSTS policy
Allows for client-initiated renegotiation
"I'm not surprised though considering how poor TalkTalk are with customer service/care. They're the kind of company that offer you more expensive deals at a subsidized price when you attempt to cancel your service with them."
So, like every other mobile phone, internet, TV, etc. company I've ever dealt with then?
Unfortunately I very much suspect that the ICO will take no interest as they only seem to be interested when there are 'class action' type incidents that might damage their rep as an information watchdog to be on the right side of.
I would though just so you have given them the opportunity.
Back when Bebo (The crappy social network) was a thing I had a similar issue. Someone used my email address to create an account.
After multiple complaints all Bebo support would do is let me create my own account to stop someone else from using my email. By this point i was quite annoyed, so i reset the password on this person's account and changed their profile to a very abusive one. I changed the password and left it that way.
Bebo support quickly sent me an email to say they deleted the account for breach of their TOS and barred my email from making more.
I'm sort of trapped in a never ending transfer to plusnet (took my phone number ahead of schedule, no broadband, can't cancel and keep the phone number) but an aside was that I filled in all the boxes that said I would use my own email. They then set up an email in my name and have ignored requests to delete it. So no risk of anyone using that to impersonate me then ....
Plusnet screwed my house move. I couldn't keep my number as I was moving exchanges.
PN insisted really I wanted to keep my number and kept cancelling my phone installation becasue I couldn't keep the number. They didn't tell me this they just went silent and reissued new numbers ever week for 6 weeks. eventually I ended up phoning them up twice a day to check progress and advising them how to progress my own installation. When the phone went in the first call I got (within 4hr of switch on) was from a claims scam company.
Plusnet offered to pay back the 6 weeks of service they hadn't delivered. This never appeared. They also refused to acknowlege my complaints made verbally and in writing. In the end I gave up complaining since my wife had just died 6 months before and I had bigger issues on my plate. but I let my hatred of them fester and dropped them as soon as I could. Switchover to new supplier = 1hr.
I got a letter this week from TalkTalk inviting me back
A year or so back Vermin Media finally cabled our bit of the street (and we ended up with a cabinet about 4m from the house).
A month or so later, one of their reps turned up at the doorstep to ask if I wanted to migrate. Aside from the whole "I don't buy on the basis of being doorstepped" thing, I also have serious reservations about them, having had to deal with both their home and business divisions as part of my job.
So, about 5 minutes into my rant, as I paused to take a breath, he interrupted to suggest that I be put on a "no and don't bother me in future" list.
Vote for Andrews & Arnold here. Had heard about them for years as being "The Geeks ISP" and thought I'd give them a try.
On the few occasions I've had to flick them a support email or call I've rapidly got back a terse response with exactly the information I need - and without the two pages of "thank you for getting in contact" boilerplate, which is surprisingly refreshing. Moved house with them (to same exchange), regraded line, got a block of static IPs, all stuff that would have filled me with dread with a normal ISP and all went off without a hitch.
Zen - actually pretty decent protect visitors to website against attacks with e.g. cross-site scripting (XSS) or framing only failure (and its big) is lack of DNSSEC and DANE to lock in TLS certificates on mail servers
AAisp - pretty decent again but has the advantage of IPv6 however lacks DNSSEC and DANE which is a fail
What's the problem with DNSSEC and DANE?
If you're hosting a website, just host the DNS somewhere else. There's no need for your access ISP to be either your DNS registrar or your DNS authoritative nameservice. Indeed, if you keep them separate it makes it easier for you to change ISP in the future.
Or are you saying that their DNS caches are non-validating? If so, you can always use 22.214.171.124 / 126.96.36.199 / 188.8.131.52 - or just fire up your own DNS cache.
AAisp - pretty decent again but has the advantage of IPv6
Zen does IPv6 as well (I turned mine on a couple of months ago), but they're not very good at publicising it. The only thing I know of in the knowledge base is this
which basically says "mail ipv6@zen".
When I emailed them they replied 19 minutes later telling me I had IPV6 enabled on the line and to reboot my router to use it. Worked fine, no problems at all. I now have a stupid amount of addresses.
There are plenty of big ISPs and plenty of good ISPs, sadly no names appear on both lists.
Have a look at:
For a comprehensive list of ISPs, the services they offer, price plans and lots of reviews.
They cover 99.9% of all ISPs in the UK, including mobile, mesh and satellite.
and why wouldn't they be sending through talktalk? The user cannot change their password, so no risk there. Any SPF or DKIM that talktalk might apply will automatically pass.
OK, if the account gets closed down then they'll probably start sending the same messages through a 3rd party, but as things stand there's no reason to do so.
I see emails from various old friends names @yahoo.com all the time but when you look at the email headers they are all originating in Asia - but all that means is that some spammer found an open relay. Significantly most spam arrives during working hours which suggests to me that the majority is coming via hacked computers in the corporate world.
A few years ago one of our customers went bankrupt and we ended up acquiring what was left. This included the account details for the supposedly defunct BT account which (for reasons best known to them) was in charge of not just their phone lines but also their email and their website hosting. To this day I can still log in to that account, edit AND register domain details seemingly charged to thin air.
That TalkTalk, who took over Tiscali with whom I had a dial-up when dial-up was all you could get, have very, very shit UIs.
I kept on my old address as I had so much going through it, but their server was ONLY POP3, IMAP and SMTP with ONLY plaintext password transmission. No APOP implementation, even. I mean, who, WHO allows an email server to run with ONLY plaintext passwords as an option nowadays? Or for the last 25 years, even?
All it would take is an eavesdropping on an unencrypted public WiFi and boom! account PWND. So I switched to gmail, but all I could do was forward Tiscali mail to Gmail. There was no way I could change the password myself, and I knew that password had been compromised by way of HaveIBeenPwned.
No way to change passwords using POP, IMAP or SMTP commands from a client...
After much, much haranguing of TalkTalk, they eventually set me up with an account to access the portal required to change passwords. It still forwards to GMAIL, but I've managed to expunge address books, sent mail folders, inboxes... as much as I can manage. And I'm gradually changing my account details, but some news sites simply won't allow a change of email address, would you believe it! One could create a new account with them, but then one loses access to all the historical stuff associated with that account, and all the "rewards" like having so many community points as to be ad-free.
tl;dr TalkTalk are shit.
"some news sites simply won't allow a change of email address, would you believe it"
Not just news sites - and the worst of it is when "support" takes a month to tell you that they can't actually change the e-mail address associated with your account anyway, then waste even more time trying to delete it.
“folders, inboxes... as much as I can manage. And I'm gradually changing my account details, but some news sites simply won't allow a change of email address, would you believe it! One could create a new account with them, but then one loses access to all the historical stuff associated with that account, and all the "rewards" like having so many community points as to be ad-free.”
Well that’s another issue that’s wholly someone else’s problem and not talk talks, maybe email the news sires and complain, maybe they don’t know it’s an issue.
"Nor had it explained why a customer account that had been inactive for eight years wasn't deleted after the customer walked away."
The email account was linked to a customer account. That account no longer exists, therefore the associated email account could and should have been deleted.
There is no need for TalkTalk to require the ex-customer to identify themselves in order to authorise what should be automatic internal housekeeping.
How on earth do they manage to provide any sort of service?
They have a huge legacy base from hoovering up a shit-ton of smaller ISPs over the years, and hoovering up larger ISPs who had in turn hoovered up the smaller fry. Instead of migrating people to new email addresses, they virtualised the old servers as they came end-of-life or as the tin was moved out of DCs that they were letting go of, and this left them with a massive and diverse virtual real estate which they just allowed to bubble along as always, no service improvements, minimal updates to web portals etc, essentially just rebranding the UI.
There's a certain UK HE establishment that has took the same approach to end-of-life tin... and proceeded to backup the virtual machines to the same storage array that the live VMs were running on. On the plus side, it did clear out a lot of dross when it all went horribly, horribly wrong.
One wonders if TalkTalk could take the same approach?
Ah, those were the days, eh? When the cover CD / Floppy or PCW had the setups for dozens of dial-up ISPs, when everyone, EVERYone, was offering a dialup service, Sainsbury's, WHSmiths, Tesco, the local Library Service, AOL, Demon, EasyNet, DungeonNetworks, SouthernElectric... EVERYONE.
"a massive and diverse virtual real estate which they just allowed to bubble along as always, no service improvements, minimal updates to web portals etc, essentially just rebranding the UI."
Place your bets on how attentive they are to OS and application software patches on this virtual estate...
AC- Well said.
"The implication is that if you have to identify yourself they still hold your personal data with which to compare.......etc.."
Don't know why that got a dv. Especially as the down voter doesn't seem to feel the need to explain or contradict.
Either TalkTalk have account details or they don't.
If they do they shouldn't.
If they don't then the ID info is of no value and the email account is manifestly ended and should automatically be closed too.
There are levels of personal information. I see nothing wrong with holding onto a name and a service address for a former customer once that relationship has ended. Indeed, if they didn't hold such records, how could, say, a historical police investigation subpoena records? Is there a legitimate business case for doing so? That's another question. I would argue that there possibly is, discounts for a returning customer, details of installation works, issues with local exchange quality or engineers notes about the property. It's not like they have a copy of your passport, driving license, current credit card and bank account details, etc They wouldn't be comparing THOSE against what you possess to check who you are. They would simply have a record that a certain name had a contract with them at a certain address. An issue arises from that historical relationship, so they have to establish with reasonable certainty that the person who has contacted them about the historical relationship is, in fact, the person with whom they had a contract.
I could throw hypotheticals at this, owned a car for 9 years, do I expect the dealer to have a record or delete it as soon as my warranty expires? But that's not specific to this case. It turns out they DID have an ongoing relationship for a service, even though it was unexpected. I read the situation as being one where they verified an identity before blithely progressing on to doing something without checking that they could reasonably trust that this person was who they said they were, and they did that in a "one-sided" way, not a "comparing what you have to what they have" way.
In fact the details they hold about you are pretty scarce - do I have a copy of the last amount of a phone bill from 8 years ago? No! That's MY poor record keeping. What else do you expect them to do? Allow someone to close down an email address WITHOUT any verification?
What data can and should be kept is another issue, but to correct one of your statements, we're not suggesting that they "[a]llow someone to close down an email address WITHOUT any verification", but that they close accounts that are inactive. It's a good measure for them to take as the account is no longer paid, may be required by a contract which initiated the account in the first place, better adheres to privacy laws, and prevents problems like the one mentioned in the article. When they didn't bother to do that and were contacted about an account sending spam, they could also disable the account, either simply for spamming people which is what they would do anyway or because they've now had their attention drawn to an account that shouldn't be live.
Except up above we have various people who are still accessing old email accounts on supposedly closed accounts....
In my experience if you came along with a bulldozer and cleared Stonehenge a druid would pop out of the woods and complain that that was the only copy of his calendar that he had, and how was he going to mange organising his sacrifices.
see nothing wrong with holding onto a name and a service address for a former customer once that relationship has ended.
Unfortunately for you, GDPR is quite explicit in that if you have no legitimate business need to do so, with informed consent from the person involved, then you cannot do this.
There are reasonable exceptions in GDPR for situations where legislation requires the retention of data (e.g. for accounting records which must eb retained for a certain length of time), and for law enforcement. Keeping the name and address of a former customer doesn't fall under these.
Down-vote me all you like; names and addresses are clearly personally identifying information (PID) under GDPR. If you hold it, you have to have both a reason for doing it, and consent (except for where the retention is statutory and does not require consent).
If someone is no longer your customer, you have no rights to their PID, except for such purposes as you are legally required to hold it. If that's inconvenent for you, I'd suggest it's your business model at fault, because it probably involves contacting people out of the blue in an unsolicited manner, or selling those details on so somebody else can.
Under GDPR there are no set periods for retention. As a holder of data you have to set retention periods that fit your need, and are justifiable.
I think I could make a case as an ISP that I held a list of email addresses of past customers for a long period (say 100 years?), justified, by a requirement not to reissue a user name of an ex-client to a new customer who might then impersonate the previous user. If I made that judgement, documented it, and respected direct requests to erase a user that specifically requests it I'm good to go, as long as I just keep an email address, and I just use it to vet new addresses. Equally I have to make a business judgement on how likely a user who lapses their subscription is likely to re-subscribe and so warranted retention of customer details for account validation. I might easily decide that that was 12 months, or 13, or 24. It's my choice, as long as I can justify it and I use the data for the purpose for which it's collected. If I bombarded the ex-client with special offers, or flogged their email to another company then its a GDPR fail.
The issue here is nothing to do with GDPR - it's about failure to suspend a lapsed account.
Well that informed consent would only apply to relationships initiated AFTER GDPR day, and even after that date, when you give informed consent you could have agreed to it for life. You DO get, under GDPR, the right to change that, to say STOP processing my details, erase them, forget about me. But this is still all too new to be tested in law as to what a reasonable period is. I had a quick dig and there's some shocking figure like 90% of customers present as repeat business after periods ranging from 3 years to 7 years since their last purchase from a company, depending on sector.
I'm far less worried about a name and address and even an email address being retained by a company that I have interacted with, especially where it's a long standing relationship like a telecoms provider or an energy provider or a store for whom I have a loyalty card, than the creeping stuff going on without consent, or where the information is joined up to other stuff.
One person's interpretation of reasonable might well vary from another's. At the end of the day, GDPR gives ME the right to decide FOR MYSELF when long enough is long enough, and that's more power than I think we've ever had like that.
wrong on many levels. When GDPR came about you could only continue to hold data if it was collected in a GDPR compliant way in the first place.
PECR was also around before GDPR (not forgetting Data Protection Laws) which also required consent.
Once GDPR was in place all data had to be processed in a GDPR compliant way regardless of what happened before and when it was collected. Therefore (even if you ignore the previous laws) once GDPR was in place you could not indefinitely store that information.
There is nothing about reasonableness that needs testing in law. You must hold the data for the minimum amount of time required for the legitimate purposes or reasons that you are currently holding it. You are required to make an assessment of how long the minimum time should be. A customer closes their account, I would suggest 6 months to clear up any outstanding queries with it then delete it.
"But what about returning customers, with a special offer?". Well that is not a legitimate reason, so if a customer has left, they are no longer your customer wave them goodbye and hope that they may return as a new customer on their own accord whenever they wish.
Reasonable is business specific, and the ICO have several sensible examples. I have silly ones.
Reasonable if I enter you into a prize draw for a weekend in Skegness, 0 days after the draw, or maybe 0 days after the prize is claimed, in case the winner decides Skegness isn't for them.
Reasonable if I sell you an ice cream, maybe 3-4 days (typical incubation period of e-coli).
Reasonable if I sell you an inflammable tumble dryer maybe 6 to 10 years in case of a product recall?
Reasonable if I sell an infant a widget with a life-time guarantee, maybe 4 score and 10 years?
"You're not quoting any legal definition here, then"
Exactly that is my point there is no test of reasonableness that need defining in law. As an organisation you need to make a valid assessment balancing the rights of individuals against legal requirements and essential needs. If you make that assessment that you are holding it for the minimum amount of time necessary and have informed the users then you are compliant, it doesn't need a court to decide this.
If you are holding data for longer just for your own marketing uses then it is not legal. My opinion 6 months would be fine for a customer account, they are free with greater insight to choose a longer period. If their marketing team get involved and ask to hold it for longer than defined purely by legislative or essential need then it is probably illegal.
This is the reason why the threshold for a DPO is quite low and they must be completely independent of any department that has a vested interest in the data and must be at a level that can report directly to the board or equivalent.
OK, I found a legal obligation to keep a record of a contract, such as supply of a service like telecommunications, made in the UK.
Section 5 of the Limitation Act 1980.
Minimum retention: for the length of the contract or agreement and 6 years afterwards.
Not 8 years... but this is a minimum.
OK, I found a legal obligation to keep a record of a contract, such as supply of a service like telecommunications, made in the UK.
The relevant words there are "record of a contract." That's likley to include the fact that the contract exists, and the required indentifying information for the signee (i.e. name, and possibly address). GDPR is also going to limit the uses you can access, and use, that information to those specified in the legal requirement to hold that information in the first place. I'm pretty sure theta wouldn't include using it to verify someone's identity because you have continued to hold other information about them that they (reasonably) want expunged - i.e. an email account.
TRT I would strongly suggest for the good of any business you work for that you go back and learn about GDPR.
You are incorrect on many of your statements.
As mentioned, when you provided consent is of no consequence, if the data was not collected in a way that would currently be compatible with GDPR that you are required to reconfirm that consent or destroy any data you hold which is not covered by the legal basis or statutory regulatory requirements.
You might have noticed the hundreds of emails you had asking you to do this just before GDPR kicked in.
There is also no such thing as "life long consent" and never has been.
"The email account was linked to a customer account."
I think you'll find that actually the email account has never been linked to anything.
My guess is that new customers have a new email account requested for them, after which the email account operates independently of the customer account on completely separate systems.
Would be an interesting experiment to check for ways to get new email accounts provisioned externally. I bet its far from impossible.
It should be obvious from looking at the mails sent from that account that they're phishing or spam. But TalkTalk aren't allowed to look in the account, are they, because of privacy, GDPR or whatever. So basically they'll adhere to regulations when it suits them.
This is the problem with today's legislation: nobody will use any common sense. The least they could do is put a temporary block on it. But it's talktalk - they couldn't give a shit about actually helping someone.
It's the same with Snapchat. I heard a piece last night on the TV about a man in prison allegedly sending upsetting messages to the family of the boy he killed, from prison, via snapchat. Will snapchat pass details to the police? Will they fuck! No, they're hiding behind some 'American legislation' that'll take too long to process.
The sad fact of the matter is that these large companies like Facebook, Snapchat and TalkTalk are not really doing enough to prevent criminal activity. Facebook merrily let scammers selling stolen MS Office 365 IDs advertise on facebook every single day for example. It's plainly obvious to me that it's dodgy. So why can't facebook just call Microsoft, get them to investigate and close down anybody advertising cheap Microsoft licences? The basic answer is greed. They don't want to spend time or money that will ultimately result in them losing more money.
It's time legislation changed. These social networks and email providers have a duty and they're clearly unable to regulate themselves. The only solution as I see it is intense government regulation. If the UK government can come up with a nobody-really-wants-it government universal porn filter, then they can damn well come up with something to control email providers and social networks.
Surely it's about time these companies were prosecuted under the Proceeds of Crime Act 2002? Similar legislation exists in other countries. Maybe, if they won't pay taxes they might be prepared to pay fines. Or we could start chucking them in chokey?
Pity they didn't do this when all the counterfeit tat started appearing on eBay. Might have been a useful example to others?
The government devised porn filter is yet to be proven effective. I wouldn't use it as an example of "see, they can do it" because within about 3 seconds of it being deployed, it'll be bypassed.
OK, it's probably the same in the social networks will manage to skirt around any equivalent law, but that's presumably not the point you were trying to make.
I've got an ongoing similar problem with Virgin. I used to have an old blueyonder email address on my parents account from the days when I lived with them.
Haven't touched that account for years, assumed it was all closed down. But recently it suddenly came back to life and I'm getting thousands of bounced spam emails that are being sent from it. The emails are the standard nonsense, but they all have my old email address and it's password in white text at the bottom. So it seems they somehow brute forced it (or that old account was in one of the hundreds of leaks over the years). Luckily I don't use that password for anything any more. But Virgin don't want to hear anything about it. It's not my account, so I can't ask them to close it down.
And Vermin can't see that it's an account only used for sending spam and it was linked to a customer account that no longer exists? Same story, yes, as WankWank. It's easier to just leave it running than to even think of suspending it!
It really is high time that we had some sensible rules about using common sense. Just because there isn't a policy for something doesn't mean that a decision can't be made!
I know as they keep emailing me about how wonderful the new system will be.
If only I hadn't left them 3 years ago.
One problem I had when I left them was that I couldn't log into my TT account, to request a refund, as I wasn't using a TalkTalk land line.
I look forward to being used as a beard in future scamming and extortion acts.
I moved away from Virgin (just a dial-up and then ADSL account, not TV or cable), but my email address was still active for over a year after the account was closed.
Got to the point where their webmail portal was not accessible, but my fetchmail POP3 scripts still worked both picking up and sending mail.
Even though the account was supposedly closed, it was still used to send spam out after Virgin leaked the details in one of their data breaches (mail address and password), and it was also used to hijack my facebook account (which I did not notice because I don't actually use Facebook hardly at all).
When I tried to get them to take action, all I got was the "Sorry, you're no longer a customer" spiel, although the mail address was eventually shutdown even for POP access.
Virgin shuts down inactive email accounts after 6 months. Even if you are still a customer. As I found out when I reinstalled the OS and everything on my laptop and forgot to add the account in to the email client. So when I stopped checking the mailbox they closed it off with no possibility of reactivating it. And why is that important? It's the address I had nominated for various service and account announcements which suddenly became important when they did something I didn't like and was told "well... we DID warn you." When I went back to check... yup... no access.
TalkTalk has refused to delete a former customer's email address which was taken over by spammers – because the unfortunate person cancelled their contract eight years ago.
Internal house keeping processes should have taken care of this account long ago.
Nor had it explained why a customer account that had been inactive for eight years wasn't deleted after the customer walked away.
Would the GDPR right to be forgotten request include the mailbox?
Surely the ISP don't know whether the mailbox itself contains PII though? They can hold it to fulfil a contractual relation (keeping the customer's mail), but once that contract is over they probably have to get rid of it for that reason if no other. (Probably some grace period is reasonable, 8 years is quite a lot of grace.)
"never to open unsolicited attachments unless you know the sender and are expecting their email."
I've always thought this a ridiculous advice. So if I want to email a friend, I have to first phone them to tell them to expect it? If I email invites to a surprise party, my friend should ignore it because they weren't expecting me to email them about a party?
Not exactly practical and not going to happen.
If you're sending me a party invitation by attaching something to an email, you might want to look at doing something else, as that certainly looks suspicious and I doubt I'd be opening that.
In most cases, the sender will include information in the message body about the attachment and why it's there. It's not that unreasonable to read this information closely and follow up with the sender if there is confusion, and many malicious attachments are somewhat easy to spot. Whenever there is doubt (did they really want to send me a random .pdf when the message simply says "Could you take a look at this?"), it's worth checking in, if only to determine what they want me to do with this if they did intend to send it.
A number of years ago my broadband provider was taken over by Talk Talk. I received a nice letter from them welcoming me. They then managed to completely forget I was a customer. I wasn't billed for two years but I was stuck on a really slow connection. I couldn't upgrade it to a faster line because Talk Talk said I wasn't their customer. I couldn't leave Talk Talk because whenever I tried the new ISP said there was a Talk Talk marker on my line and I would need the leaving code. Talk Talk wouldn't give me a leaving code because they said I wasn't their customer. I was stuck on 2mbit for years. While many would say it was great not being billed I needed the line for work and it would stop working randomly several times a week. Of course Talk Talk ignored me when I reported the problem because they said I wasn't a customer.
I only managed to get it sorted when I raised a complaint with OFCOM.
Before the split with BT and OpenReach, I had a related issue with BT at one property we moved into. I phoned BT and asked them to make the phone line live in the property, but they said the property had never had a phone line into it. I explained that there was a telegraph pole outside with a line coming into the property into a BT master socket. It even had a continuous tone indicating it was hooked up. But no they said, our property wasn't even on their records, was it a new build? No, it was around 80 years old! Anyway, they booked an engineer to install a phone line.
He arrived expecting to run cable etc but was surprised to see we already had a BT line. A few tweaks and we were up and running.
In my experience all telecoms/internet providers rate on a scale between very incompetent to moderately incompetent. And I've dealt with most of them over the years.
This reminds me of an experience I had with NTL/Virgin. It was a long time ago, the early 2000s I think, so I can't remember the exact details, but I do remember that I had telephone, BB and TV with them. But for some reason I had two separate bills/accounts, one for TV and Broadband, and one for phone, the latter of which didn't actually exist on their system, yet I was being billed for, but the main problem was that both of them were billing me for line rental.
They wanted me to pay by direct debit payments, which I refused to do until they fixed the issue, so as retaliation for not paying by DD, they charged me a £10 admin fee every month. And every month I'd phone them up and demand that they fix the issue, which they always didn't, and that they remove the £10 charge, which they always did.
I couldn't leave, because a) I was scared that they'd forget about me and I'd never get my line rental refunded, and b) I couldn't move to another provider because of the telephone line with that wasn't on their system.
I think this went on for about a year until I spoke to someone who actually knew what they were doing and they fixed the issue there and then.
I left them after that and went to Sky which I have never had any problem with.
I had similar fun after building a new house on a old lot, demolishing the old house. It used to have POTS, and so it was easy to start a new account. However, the line to the house was dangling in the air by the fence, and obviously needed to be terminated to the house. However the phone company insisted that it was connected... and finally did the install after I managed to email the rep a picture of the dangling cable.
I appear to have developed a callus over the part of my brain that experiences any sort of shock when an ISP fucks up and then says it's not our problem.
In days of yore when I worked for an IT outsourcing company that looked after small business customers, we partnered quite often with a telecoms company when clients needed phones. They in turn obviously got kick backs from TalkTalk for referring clients, as most of our joint clients went with them on the telecoms company's recommendation. Any time you ever phoned them it wasn't TalkTalk's fault, either it was Openreach or "you aren't using our modem so we can't help you"
In Britain, most people base their choice of ISP on the basis of cost and not customer service or reliability. I guess the ISPs run on an incredibly tight shoestring, although some are worse than others. The ISPs on here that get recommended often eg Zen or A&A are more expensive for a reason.
>Maybe a request for "Right to Erasure" would do the trick?
But requires "two forms of valid ID" - suspect this is what was being asked of Joanne.
Interestingly, I note from the report of Daniel Gibbs investigation that clearly Joanne had simply "walked away" from the account all those years ago; otherwise, the addressbook would have been empty as would have been the email folders. I would hope that Daniel did clean out all the personal information.
If spammers are sending email to this woman's friends then her dead email account must include their email addresses. So she didn't delete her address book and old emails before cancelling her TalkTalk account? I'd say a large portion of the blame lies with her and her poor infosec practices.
Victim blaming. It's wonderful, isn't it? The ISP didn't cancel the account or delete data when they were required, and someone else managed to get in and start spamming without assistance of the original account holder and despite their attempts to stop it, but yet it is the original person who is to be blamed for this?
>The ISP didn't cancel the account or delete data when they were required
When was it that the ISP was 'required' to do something? Yes, Joanne cancelled her contract, but what exactly had TalkTalk committed to do in the event of an account termination?
From what I can see, prior to GDPR there was no real requirement for the ISP to delete data, it is only post-GDPR becoming law that the ISP now has real legal obligations over the retention of personal data, particularly if it relates to ex-customers.
>someone else managed to get in and start spamming without assistance of the original account holder and despite their attempts to stop it, but yet it is the original person who is to be blamed for this?
Whilst we don't know if her password was something trivial and so easily compromised, we do know that she had not cleared her mail folders and addressbook and so does carry some blame for her contacts receiving personalised spam from this account.
What is clear from this case is that people's expectations about their online accounts and what providers actually do, are often very different in reality.
However, GDPR does start to bring the real world into line with users expectations. but even this, it is good practice to clear down online accounts that you are about to terminate, just like it is good practice to clear the memory of your phone/computer before resale. Note I'm not saying I always follow good practice, just that I accept the blame when I don't and it comes back and bites...
GDPR came into force almost a year ago. They're subject to it now, and it requires them. That is assuming their contract doesn't say something about account closure, which many do in order to indemnify the company when they delete users' data after accounts are closed.
Once again, blame is not the correct way to deal with an account compromise. Whether the password was bad or not, the client did not take an action with the intent of allowing an attacker in. Yes, there are good practices that would have helped here, but not following every good practice does not automatically make any problem someone's fault.
In that case, I could come to your house, find a place where you have been too lax with your security, and blame you for the fact that I broke in. Should I do that, the blame for breaking in belongs only to me. Good practices mean that it is less likely that I'll be able or inclined to break in, and as such benefit you because you don't have to involve law enforcement. You may have entered a contract with an insurance provider that requires you to follow certain practices in order to get benefits. Still, I am not rendered innocent if you forgot to lock your door.
>I could come to your house, find a place where you have been too lax with your security, and blame you for the fact that I broke in.
Well... If there is no evidence of forced entry both the law and insurance companies take an interesting stance - hence the problems associated with getting squatters evicted...
This does make this case interesting, as effectively it does require service providers to do a fuller investigation of their IT systems than the readily accessible records (ie. the customer account system's records) indicate. Mind you. I am a little surprised that TalkTalk haven't done a reverse check (email account to customer account) to help in the process of clearing out legacy - even if the legacy has been VM'd.
I have just finished a long correspondence with TalkTak on exactly this. I closed my account a zillion years ago (a Tiscali account) and yet the emails kept coming in and were active. I could not close this down because i no longer had an account. I wrote, once spam started pouring in, to get talkTalk to close it. They needed proof of identity, which I gave them. I chased, they kept asking me for the same proofes. I kept giving it to them. I then expostulated. They said I could go through the 'right to be forgotten' and I would ahve to send passport etc. I explained that this is not what I wanted -- I just wanted the email closed.
They then said that they had updated and changed quite often and that they no longer knew what was on their servers, and so couldn't identify any account. I am not kidding.
I was about to go to the Regulator, or to my lawyer. Now I am going to send TalkTalk a link to this story, and I suspect magic will finally happen.
This all boils down to "Rule One: so many previous mistakes that no latitude whatsoever is allowed to staff below a certain level" (and good for them for that - would that my bank representative had not had the latitude to allow A. Person to change my mother's maiden name on my account some years back) and "Rule Two: no-one at the right level is to be bothered by piffling ex-customer problems" which is where the wheels fall off.
Not to dissimilar to Sky.
I was a sky tv and internet customer a number of years ago. When I left i still had the use of their email which is hosted by Yahoo.
Ok, unlike Talk Talk I can edit my password but it did surprise me to learn that i still did indeed have access to this email account. I would have expected it to be terminated when my contract with Sky ended.
Like other posters on here, I've had a very similar issue with TalkTalk...an old dial-up Lineone email address was hacked, and the first I knew about it was receiving emails from that account with dodgy links/attachments in them. Maybe I was not especially thorough in clearing out the old account but the password was fairly secure and like others here, I can still access the account but not change the password. Whoever now logs in to the account seems to spend their time creating Epic Games and Amazon accounts.
A phone call to TalkTalk obtained me nothing more than a curt (borderline rude) response that they could do nothing as they no longer support email addresses like Lineone or Tiscali. I found others had been helped on TalkTalk's support forum, so posted on there. Like Joanne, I was pointed to the 'right to forget', but this involved sending a company that seemingly hasn't kept my data safe proofs of identity, so I wasn't keen. I've been able to persuade the forum administrator to send my details over to the relevant team at TalkTalk to contact me and change the account password but so far, no contact from said team. I can't fault the guy on their forums but everything else seems to be fairly shambolic. I've prodded TalkTalk by posting a link to this article and we'll see what happens next.
Thanks, Register, for raising awareness of this issue.
A few months ago, I managed to snap up a domain that had expired. I do not feel guilty about this, because the domain was originally mine, and I lost it when I was in hospital a few years ago.
So, I got my domain back, set up the email address, a few days later I got an email saying I'd been sent $100 - a few days later another one. I initially thought it was spam, but with further investigation,discovered it was legit, and belonged to someone who had been using the email address last year.
I logged into the website, entered the login id (helpfully contained within the emails!) then hit 'forgot my password' and sure enough, received a 'reset my password' link in my email.
I didn't go any further, but sent an email to the customer services telling them I have access to this bank account, it's not mine, and please cancel the email address..... The reply was that as I was not the owner of the account, I couldn't authorise an account change! I then replied that if I decided to clear the account out, it wouldn't be good for PR, and got a reply saying the problem had been sorted. It hadn't. For the next week I kept receiving receipts, until I ended up manually blocking the address my end.
... just checked the mailog, a delivery from them was attempted yesterday.... this could be an el-reg scoop!
Easy enough for me, I still use mailx as my primary email reader, but have you seen how hard it is these days to verify an email address with most "email apps" these days?
Forget seeing envelope senders, or mail headers, some systems don't even show the email address from the DATA header (just showing the 'real name')
I remember being shown how to spoof the email address by talking directly to the mail server back in 1989.. And now, 30 years later, it's even more difficult to tell such spoofing is occuring
Just noticed the update from talk talk, seeing as no surname was mentioned through out the article just joanne, they refer to a Ms Thompson, guess they cant help them selves but to keep leaking customer info..... (although perhaps el reg could have noticed that and redacted the response appropriately...)
I left BT a year ago (oh bliss!) but all my email addresses stayed active despite my repeated attempts to delete them using portal, online chats and phone calls. My BT logins still work, my BT IDs still work, and while I've managed (eventually) to silence 8 sub addresses, the old primary is undeletable. BT are totally useless at responding to repeated requests to deal with this. 13 months on and the primary btinternet.com address is still fully active, receiving, forwarding and able to send emai using either pop3/smtp or webmaill. And of course - hackable (it's a btinternet.com address on the much hacked Yahoo!/Oath platform). After 12 months I finally lost patience. I made a subject data access request giving BT details of all my logins and IDs and asking for a full dump of my data. I got a very very partial dump which ignored most of my logins and email addresses that were still visible on the customer portal. I then sent the whole complaint to ICO and yes, they have failed under GDPR and there are just a few days left to the deadline ICO gave them. As Mrs May is wont to say, "nothing has changed" - it's all still active and they still haven't sent me my data.
If you have recently left BT - do make sure that they delete/inactivate your address and make a subject data access request to see what they "think" they hold on you. They probably won't be able to comply. Then shop them to ICO. If the ICO get a LOT of complaints about these incompetent ISPs then maybe at last they will issue some eye-watering fines that are big enough to dent their bottom line. Because they haven't done that YET despite some fairly major breaches by the likes of BT and TalkTalk and of course, Yahoo UK&Ireland/Oath.
> My BT logins still work, my BT IDs still work
Well, a good way to lock the BT account is to do a series of failed logins (mistype the password), it will get to a point where the only way to unlock is to call BT and for them to send out a letter to the registered account address...
Just imagine an NHS run by the big cheese of talktalk. Talk of opening of patient data for sale to large companies and free too! Watering down of data security requirements. An IT workforce increasingly paid a pittance compared to their private sector colleagues... sounds crazy, right?
Wrong, Dido is looking to 'redesign' the NHS around her failed talktalk.
How Tory Dido is even allowed to run a company stilll.. ow wait.. yeah, she's a Tory politician. Government is Tory. Both hate the NHS and anything beyond their personal own self-interest.
Spam from obselete talktalk email addresses is just another success milestone for dear Dido.
Have contacted the ICO after being asked for 2 of the letters of my password by TalkTalk in order to close an email account I haven't used in years. They've been sending emails to inform me of their new email system though why I would be interested I don't know. I refused to send any of the documents (birth cert, driving licence etc) to them given their history of data protection. In response one of the things they asked for was the 3rd and 6th letter of my password. I'd have thought passwords should be encrypted?
Biting the hand that feeds IT © 1998–2019