back to article TalkTalk kept my email account active for 8 years after I left – now it's spamming my mates

TalkTalk has refused to delete a former customer's email address which was taken over by spammers – because the unfortunate person cancelled their contract eight years ago. The customer, Joanne, was contacted by her friends after they started receiving spam from an old email address of hers. After digging out the account …

  1. itguy

    Re: You brought up an interesting point

    Should file a complaint with the ICO under GDPR. Company can only keep data for as long as necessary - Account was cancelled 8 years and no reason to keep email going. Clear violation.

    1. macjules Silver badge

      Re: You brought up an interesting point

      Wonder why El Reg didn't pass the details directly to ICO, instead of TalkTalk? Also, how many other people have still active email accounts on TalkTalk?

      1. katrinab Silver badge

        Re: You brought up an interesting point

        I do, and I cancelled my account with LineOne about 20 years ago.

        1. regadpellagru

          Re: You brought up an interesting point

          I do as well. Cancelled my ISP service from Freetelecom (France) 8 years ago.

          I know the account is still active because I use gmail to aggregate multiple active mailboxes via POP3, and still today, I receive emails relayed by it !

      2. andy 103

        Re: You brought up an interesting point

        "Wonder why El Reg didn't pass the details directly to ICO, instead of TalkTalk? Also, how many other people have still active email accounts on TalkTalk?"

        Because sadly it's quicker in this day and age to get a company to act if you're able to publish a story about them, than hand the issue to a third party who may take fucking ages to get a lesser result.

        1. cosmogoblin

          Re: You brought up an interesting point

          sadly it's quicker in this day and age to get a company to act if you're able to publish a story about them

          Agreed. I'm always depressed when individuals who've been screwed over by megacorps get justice after a major (okay, El Reg in this case, so not so major) news outlet gets involved - because I think of the hundreds or thousands in the same situation who didn't get their stories published.

      3. Anonymous Coward
        Anonymous Coward

        Re: You brought up an interesting point

        Because regrettably the ICO requires that people attempt to complain to the data controller first (which I am sure will end well if the data controller is in any way lax or dodgy to start with), before actually bothering to look into any concerns themself. Given how hard it is to awaken the ICO to take action, the well tested journalistic technique of name and shame tends to have more effect.

    2. Lee D Silver badge

      Re: You brought up an interesting point

      Yep.

      That address book is private, personal data.

      She's reporting a compromise of that private, personal data.

      I can understand TalkTalk not *providing* that data to her until she proves who she is, but if she's notifying them of a compromise of an account that should have closed and deleted her data years ago, then there's a big problem on TalkTalk's end.

      Not to mention, she's reporting an account for sending spam and malware - surely whether it's her own account or not, they should be shutting it down?

      1. Robert Helpmann?? Silver badge
        Childcatcher

        Re: You brought up an interesting point

        Why would a brute force attack be effective! That's shody security on TalkTalk's part (a theme here, it would seem)? What have they done with the logs showing which IPs the illicit access took place?

    3. anothercynic Silver badge

      Re: You brought up an interesting point

      Yep, I'd recommend that.

    4. john.jones.name

      security best practices ?

      Talk Talk Failures

      Mail :

      NO DKIM

      NO DMARC policy

      insecure SSLv3

      insecure RC4-SHA cipher suite

      hash algorithm that is not secure on the certificate

      NO DNSSEC

      NO DANE

      Their website has :

      NO DNSSEC

      NO X-Content-Type value

      NO Content-Security-Policy (CSP)

      Does not offer Referrer-Policy

      Does not offer an HSTS policy

      Allows for client-initiated renegotiation

    5. Stretchoman

      Re: You brought up an interesting point

      I'm not surprised though considering how poor TalkTalk are with customer service/care. They're the kind of company that offer you more expensive deals at a subsidized price when you attempt to cancel your service with them.

      1. DavCrav Silver badge

        Re: You brought up an interesting point

        "I'm not surprised though considering how poor TalkTalk are with customer service/care. They're the kind of company that offer you more expensive deals at a subsidized price when you attempt to cancel your service with them."

        So, like every other mobile phone, internet, TV, etc. company I've ever dealt with then?

    6. The Dogs Meevonks

      Re: You brought up an interesting point

      I haven't been a sky customer for more than 4yrs and haven't been with virgin for more than 12 months... Both still have active email accounts that I cannot delete.

    7. Anonymous Coward
      Anonymous Coward

      Re: You brought up an interesting point

      Unfortunately I very much suspect that the ICO will take no interest as they only seem to be interested when there are 'class action' type incidents that might damage their rep as an information watchdog to be on the right side of.

      I would though just so you have given them the opportunity.

  2. Christoph Silver badge

    I wonder if the next thing to happen is that they charge her for that email account?

    1. Groaning Ninny

      Backdated, too!

  3. dkjd

    Giving your private email address list to 3rd party and then refusing to do anything sounds not-gdpr ok to me. They should at least lock the account down and make the current "user" prove identity surely?

    1. Tigra 07 Silver badge
      Thumb Up

      RE: dkjd

      Back when Bebo (The crappy social network) was a thing I had a similar issue. Someone used my email address to create an account.

      After multiple complaints all Bebo support would do is let me create my own account to stop someone else from using my email. By this point i was quite annoyed, so i reset the password on this person's account and changed their profile to a very abusive one. I changed the password and left it that way.

      Bebo support quickly sent me an email to say they deleted the account for breach of their TOS and barred my email from making more.

    2. tip pc Bronze badge

      “They should at least lock the account down and make the current "user" prove identity surely?”

      Let me just complain to your isp about your email address and let’s see how quickly you’ll change your mind about that statement.

  4. Pascal Monett Silver badge

    This would normally be a rant about sheer incompetence

    But TalkTalk, so it would be entirely redundant.

    I am looking forward to a lawsuit.

  5. chivo243 Silver badge
    Facepalm

    Beyond FAIL

    See title, nothing more to say. Except has anyone tried to contact Dido, maybe she can help?

    1. 0laf Silver badge
      Angel

      Re: Beyond FAIL

      Baroness Dido moved on from Talk Talk some time ago. You'll be reassured to know that she has learned from her previous mistakes and now works for the NHS who are much better at covering up senior management failings.

      1. stiine Bronze badge
        Facepalm

        Re: Beyond FAIL

        Do you think they deleted her email account?

  6. Paul Herber

    Catch-22

    Joseph Heller should have written a book about TalkTalk, and called it Catch-22.

    1. Yossarian

      Re: Catch-22

      Couldn't agree more! I live.

      1. Paul Herber

        Re: Catch-22

        TalkTalk only have Major Major Major cockups!

  7. Tigra 07 Silver badge
    Facepalm

    Wooden Spoon company

    I was with Talk Talk once. Horrible company. They were still sending bills 6 months after i'd left them for Sky, and by then threatening to sue me for not paying.

    1. deive

      Re: Wooden Spoon company

      They tried to do the same to us, after we moved into a house where the *previous* occupiers used them. We've never been a customer of theirs and never will be. Needless to say they didn't get any money off us.

      1. Tigra 07 Silver badge

        Re: Wooden Spoon company

        Sounds like they're more predatory than Capita and their TV Detector Vans.

        1. jasper pepper

          Re: Wooden Spoon company

          No, TalkTalk are not in the same league as Capita. With Capita it is greed, pure and simple; with TalkTalk it is incompetence, stupid, stickling script following idiocy managed by cretins.

    2. Roj Blake Silver badge

      Re: Wooden Spoon company

      You think that's bad, try BT.

      They continued billing me for five years after I cancelled my account with them - only they didn't actually send me any bills. The first I heard about it was when the debt collectors contacted me.

  8. chrisf1

    Are any of them any good?

    I'm sort of trapped in a never ending transfer to plusnet (took my phone number ahead of schedule, no broadband, can't cancel and keep the phone number) but an aside was that I filled in all the boxes that said I would use my own email. They then set up an email in my name and have ignored requests to delete it. So no risk of anyone using that to impersonate me then ....

    1. 0laf Silver badge
      FAIL

      Re: Are any of them any good?

      Plusnet screwed my house move. I couldn't keep my number as I was moving exchanges.

      PN insisted really I wanted to keep my number and kept cancelling my phone installation becasue I couldn't keep the number. They didn't tell me this they just went silent and reissued new numbers ever week for 6 weeks. eventually I ended up phoning them up twice a day to check progress and advising them how to progress my own installation. When the phone went in the first call I got (within 4hr of switch on) was from a claims scam company.

      Plusnet offered to pay back the 6 weeks of service they hadn't delivered. This never appeared. They also refused to acknowlege my complaints made verbally and in writing. In the end I gave up complaining since my wife had just died 6 months before and I had bigger issues on my plate. but I let my hatred of them fester and dropped them as soon as I could. Switchover to new supplier = 1hr.

    2. Anonymous Coward
      Anonymous Coward

      Re: Are any of them any good?

      Zen was decent when I was living in the UK.

      They seem to have a good reputation.

      1. Roger Greenwood

        Re: Are any of them any good?

        +1 for Zen. And it's run by very savvy humans.

        I got a letter this week from TalkTalk inviting me back. Took me ages to stop laughing.

        1. CrazyOldCatMan Silver badge

          Re: Are any of them any good?

          I got a letter this week from TalkTalk inviting me back

          A year or so back Vermin Media finally cabled our bit of the street (and we ended up with a cabinet about 4m from the house).

          A month or so later, one of their reps turned up at the doorstep to ask if I wanted to migrate. Aside from the whole "I don't buy on the basis of being doorstepped" thing, I also have serious reservations about them, having had to deal with both their home and business divisions as part of my job.

          So, about 5 minutes into my rant, as I paused to take a breath, he interrupted to suggest that I be put on a "no and don't bother me in future" list.

      2. CrazyOldCatMan Silver badge

        Re: Are any of them any good?

        Zen was decent when I was living in the UK.

        And still are - I'm with them and about to get regraded to G.Fast. Each time I've talked to them the person appears to have a clue.

        1. Androgynous Cupboard Silver badge

          Re: Are any of them any good?

          Vote for Andrews & Arnold here. Had heard about them for years as being "The Geeks ISP" and thought I'd give them a try.

          On the few occasions I've had to flick them a support email or call I've rapidly got back a terse response with exactly the information I need - and without the two pages of "thank you for getting in contact" boilerplate, which is surprisingly refreshing. Moved house with them (to same exchange), regraded line, got a block of static IPs, all stuff that would have filled me with dread with a normal ISP and all went off without a hitch.

        2. john.jones.name

          security test of ISP

          Zen - actually pretty decent protect visitors to website against attacks with e.g. cross-site scripting (XSS) or framing only failure (and its big) is lack of DNSSEC and DANE to lock in TLS certificates on mail servers

          AAisp - pretty decent again but has the advantage of IPv6 however lacks DNSSEC and DANE which is a fail

          1. Crypto Monad

            Re: security test of ISP

            What's the problem with DNSSEC and DANE?

            If you're hosting a website, just host the DNS somewhere else. There's no need for your access ISP to be either your DNS registrar or your DNS authoritative nameservice. Indeed, if you keep them separate it makes it easier for you to change ISP in the future.

            Or are you saying that their DNS caches are non-validating? If so, you can always use 1.1.1.1 / 8.8.8.8 / 9.9.9.9 - or just fire up your own DNS cache.

          2. Arthur the cat Silver badge
            Happy

            Re: security test of ISP

            AAisp - pretty decent again but has the advantage of IPv6

            Zen does IPv6 as well (I turned mine on a couple of months ago), but they're not very good at publicising it. The only thing I know of in the knowledge base is this

            https://support.zen.co.uk/kb/Knowledgebase/Does-Zen-provide-IPV6-support

            which basically says "mail ipv6@zen".

            When I emailed them they replied 19 minutes later telling me I had IPV6 enabled on the line and to reboot my router to use it. Worked fine, no problems at all. I now have a stupid amount of addresses.

      3. Ian Emery Silver badge

        Re: Are any of them any good?

        There are plenty of big ISPs and plenty of good ISPs, sadly no names appear on both lists.

        Have a look at:

        http://www.ispreview.co.uk/

        For a comprehensive list of ISPs, the services they offer, price plans and lots of reviews.

        They cover 99.9% of all ISPs in the UK, including mobile, mesh and satellite.

      4. N2 Silver badge

        Re: Are any of them any good?

        IDNet Zen and A&A

        but clients would just stare like youve just spat in their face when suggested

  9. DougS Silver badge

    It is too late

    The spammers already harvested the addresses from his address book. Presumably the spam is not actually being sent from talktalk via the webmail interface, the headers are just forged to appear that way.

    1. Fred Dibnah

      Re: It is too late

      'His' name is Joanne.

      1. Solarflare
        Angel

        Re: It is too late

        'His' name is Joanne.

        Welcome to 2019 and all that !

      2. holmegm

        Re: It is too late

        Perhaps she, er, he, er, zhe, uh, "identifies" as ... oh, forget it :)

    2. Anonymous Coward Silver badge
      Trollface

      Re: It is too late

      and why wouldn't they be sending through talktalk? The user cannot change their password, so no risk there. Any SPF or DKIM that talktalk might apply will automatically pass.

      OK, if the account gets closed down then they'll probably start sending the same messages through a 3rd party, but as things stand there's no reason to do so.

      1. Version 1.0 Silver badge
        Thumb Up

        Re: It is too late

        I see emails from various old friends names @yahoo.com all the time but when you look at the email headers they are all originating in Asia - but all that means is that some spammer found an open relay. Significantly most spam arrives during working hours which suggests to me that the majority is coming via hacked computers in the corporate world.

  10. djstardust Silver badge

    BT

    Were supposed to shut down our email addresses within 6 weeks of leaving (unless we paid something ridiculous like £6 per account pwr month to keep them alive) and a year later they are all still active.

    1. Anonymous Coward
      Anonymous Coward

      Re: BT

      Keep schtum !!!

      If they find out we'll all have to start paying for it.

      1. Anonymous Coward
        Anonymous Coward

        Re: BT

        Despite repeated discussions about why it's a waste, my Father does indeed pay BT so he can keep his old email address!

        1. Humpty McNumpty

          Re: BT

          A few years ago one of our customers went bankrupt and we ended up acquiring what was left. This included the account details for the supposedly defunct BT account which (for reasons best known to them) was in charge of not just their phone lines but also their email and their website hosting. To this day I can still log in to that account, edit AND register domain details seemingly charged to thin air.

  11. TRT Silver badge

    I can confirm...

    That TalkTalk, who took over Tiscali with whom I had a dial-up when dial-up was all you could get, have very, very shit UIs.

    I kept on my old address as I had so much going through it, but their server was ONLY POP3, IMAP and SMTP with ONLY plaintext password transmission. No APOP implementation, even. I mean, who, WHO allows an email server to run with ONLY plaintext passwords as an option nowadays? Or for the last 25 years, even?

    All it would take is an eavesdropping on an unencrypted public WiFi and boom! account PWND. So I switched to gmail, but all I could do was forward Tiscali mail to Gmail. There was no way I could change the password myself, and I knew that password had been compromised by way of HaveIBeenPwned.

    No way to change passwords using POP, IMAP or SMTP commands from a client...

    After much, much haranguing of TalkTalk, they eventually set me up with an account to access the portal required to change passwords. It still forwards to GMAIL, but I've managed to expunge address books, sent mail folders, inboxes... as much as I can manage. And I'm gradually changing my account details, but some news sites simply won't allow a change of email address, would you believe it! One could create a new account with them, but then one loses access to all the historical stuff associated with that account, and all the "rewards" like having so many community points as to be ad-free.

    tl;dr TalkTalk are shit.

    1. Chris King Silver badge

      Re: I can confirm...

      "some news sites simply won't allow a change of email address, would you believe it"

      Not just news sites - and the worst of it is when "support" takes a month to tell you that they can't actually change the e-mail address associated with your account anyway, then waste even more time trying to delete it.

    2. Anonymous Coward
      Anonymous Coward

      Re: I can confirm...

      I also have a zombie Tiscali mailforward set up, the intention was that it's a disposable address, it would die one day and emails would then stop being forwarded...

      ..still waiting....

    3. druck Silver badge
      Unhappy

      Re: I can confirm...

      WHO allows an email server to run with ONLY plaintext passwords as an option nowadays?

      PLUSNET

    4. tip pc Bronze badge

      Re: I can confirm...

      “folders, inboxes... as much as I can manage. And I'm gradually changing my account details, but some news sites simply won't allow a change of email address, would you believe it! One could create a new account with them, but then one loses access to all the historical stuff associated with that account, and all the "rewards" like having so many community points as to be ad-free.”

      Well that’s another issue that’s wholly someone else’s problem and not talk talks, maybe email the news sires and complain, maybe they don’t know it’s an issue.

  12. revenant Bronze badge

    Indefensible

    "Nor had it explained why a customer account that had been inactive for eight years wasn't deleted after the customer walked away."

    The email account was linked to a customer account. That account no longer exists, therefore the associated email account could and should have been deleted.

    There is no need for TalkTalk to require the ex-customer to identify themselves in order to authorise what should be automatic internal housekeeping.

    How on earth do they manage to provide any sort of service?

    1. TRT Silver badge

      Re: Indefensible

      They have a huge legacy base from hoovering up a shit-ton of smaller ISPs over the years, and hoovering up larger ISPs who had in turn hoovered up the smaller fry. Instead of migrating people to new email addresses, they virtualised the old servers as they came end-of-life or as the tin was moved out of DCs that they were letting go of, and this left them with a massive and diverse virtual real estate which they just allowed to bubble along as always, no service improvements, minimal updates to web portals etc, essentially just rebranding the UI.

      1. Fred Dibnah

        Re: Indefensible

        Sounds like TT have read the NTL book on how not to do business.

        1. TRT Silver badge

          Re: Indefensible

          There's a certain UK HE establishment that has took the same approach to end-of-life tin... and proceeded to backup the virtual machines to the same storage array that the live VMs were running on. On the plus side, it did clear out a lot of dross when it all went horribly, horribly wrong.

          One wonders if TalkTalk could take the same approach?

          Ah, those were the days, eh? When the cover CD / Floppy or PCW had the setups for dozens of dial-up ISPs, when everyone, EVERYone, was offering a dialup service, Sainsbury's, WHSmiths, Tesco, the local Library Service, AOL, Demon, EasyNet, DungeonNetworks, SouthernElectric... EVERYONE.

      2. Anonymous Coward
        Anonymous Coward

        Re: Indefensible

        "a massive and diverse virtual real estate which they just allowed to bubble along as always, no service improvements, minimal updates to web portals etc, essentially just rebranding the UI."

        Place your bets on how attentive they are to OS and application software patches on this virtual estate...

    2. Anonymous Coward
      Anonymous Coward

      Re: Indefensible

      The implication is that if you have to identify yourself they still hold your personal data with which to compare you that they should no longer hold.

      1. Terry 6 Silver badge

        Re: Indefensible

        AC- Well said.

        "The implication is that if you have to identify yourself they still hold your personal data with which to compare.......etc.."

        Don't know why that got a dv. Especially as the down voter doesn't seem to feel the need to explain or contradict.

        Either TalkTalk have account details or they don't.

        If they do they shouldn't.

        If they don't then the ID info is of no value and the email account is manifestly ended and should automatically be closed too.

        1. TRT Silver badge

          Re: Indefensible

          There are levels of personal information. I see nothing wrong with holding onto a name and a service address for a former customer once that relationship has ended. Indeed, if they didn't hold such records, how could, say, a historical police investigation subpoena records? Is there a legitimate business case for doing so? That's another question. I would argue that there possibly is, discounts for a returning customer, details of installation works, issues with local exchange quality or engineers notes about the property. It's not like they have a copy of your passport, driving license, current credit card and bank account details, etc They wouldn't be comparing THOSE against what you possess to check who you are. They would simply have a record that a certain name had a contract with them at a certain address. An issue arises from that historical relationship, so they have to establish with reasonable certainty that the person who has contacted them about the historical relationship is, in fact, the person with whom they had a contract.

          I could throw hypotheticals at this, owned a car for 9 years, do I expect the dealer to have a record or delete it as soon as my warranty expires? But that's not specific to this case. It turns out they DID have an ongoing relationship for a service, even though it was unexpected. I read the situation as being one where they verified an identity before blithely progressing on to doing something without checking that they could reasonably trust that this person was who they said they were, and they did that in a "one-sided" way, not a "comparing what you have to what they have" way.

          In fact the details they hold about you are pretty scarce - do I have a copy of the last amount of a phone bill from 8 years ago? No! That's MY poor record keeping. What else do you expect them to do? Allow someone to close down an email address WITHOUT any verification?

          1. doublelayer Silver badge

            Re: Indefensible

            What data can and should be kept is another issue, but to correct one of your statements, we're not suggesting that they "[a]llow someone to close down an email address WITHOUT any verification", but that they close accounts that are inactive. It's a good measure for them to take as the account is no longer paid, may be required by a contract which initiated the account in the first place, better adheres to privacy laws, and prevents problems like the one mentioned in the article. When they didn't bother to do that and were contacted about an account sending spam, they could also disable the account, either simply for spamming people which is what they would do anyway or because they've now had their attention drawn to an account that shouldn't be live.

            1. Anonymous Coward
              Anonymous Coward

              Re: Indefensible

              I guess they have to balance the screams of the spammed with the screams of 'they shut down my email address which I use to control my aged mother's pacemaker'

              1. David Nash Silver badge

                Re: Indefensible

                The account was supposedly closed, nobody is going to be screaming if they shut it down.

                1. Loyal Commenter Silver badge

                  Re: Indefensible

                  Plus there would almost certainly be a clause in the orignal agreement that you wouldn't be using their services for such purposes - i.e. in a medical setting, or for control of things like power stations, traffic control systems, etc. etc.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Indefensible

                    on page 407 of the 6pt small print. Probably wouldn't stand up as a reasonable exclusion in a British court.

                2. Anonymous Coward
                  Anonymous Coward

                  Re: Indefensible

                  Except up above we have various people who are still accessing old email accounts on supposedly closed accounts....

                  In my experience if you came along with a bulldozer and cleared Stonehenge a druid would pop out of the woods and complain that that was the only copy of his calendar that he had, and how was he going to mange organising his sacrifices.

                  1. TRT Silver badge

                    Re: Indefensible

                    Ha ha. You do realise that the Outer Circle at Stonehenge was the patch for the Y1K bug?

                3. Anonymous Coward
                  Anonymous Coward

                  Re: Indefensible

                  It has to be said...….

                  In space no-one can hear you scream !

                  TT all over...

          2. Loyal Commenter Silver badge

            Re: Indefensible

            see nothing wrong with holding onto a name and a service address for a former customer once that relationship has ended.

            Unfortunately for you, GDPR is quite explicit in that if you have no legitimate business need to do so, with informed consent from the person involved, then you cannot do this.

            There are reasonable exceptions in GDPR for situations where legislation requires the retention of data (e.g. for accounting records which must eb retained for a certain length of time), and for law enforcement. Keeping the name and address of a former customer doesn't fall under these.

            1. Loyal Commenter Silver badge

              Re: Indefensible

              Down-vote me all you like; names and addresses are clearly personally identifying information (PID) under GDPR. If you hold it, you have to have both a reason for doing it, and consent (except for where the retention is statutory and does not require consent).

              If someone is no longer your customer, you have no rights to their PID, except for such purposes as you are legally required to hold it. If that's inconvenent for you, I'd suggest it's your business model at fault, because it probably involves contacting people out of the blue in an unsolicited manner, or selling those details on so somebody else can.

              1. Anonymous Coward
                Anonymous Coward

                Re: Indefensible

                Under GDPR there are no set periods for retention. As a holder of data you have to set retention periods that fit your need, and are justifiable.

                I think I could make a case as an ISP that I held a list of email addresses of past customers for a long period (say 100 years?), justified, by a requirement not to reissue a user name of an ex-client to a new customer who might then impersonate the previous user. If I made that judgement, documented it, and respected direct requests to erase a user that specifically requests it I'm good to go, as long as I just keep an email address, and I just use it to vet new addresses. Equally I have to make a business judgement on how likely a user who lapses their subscription is likely to re-subscribe and so warranted retention of customer details for account validation. I might easily decide that that was 12 months, or 13, or 24. It's my choice, as long as I can justify it and I use the data for the purpose for which it's collected. If I bombarded the ex-client with special offers, or flogged their email to another company then its a GDPR fail.

                The issue here is nothing to do with GDPR - it's about failure to suspend a lapsed account.

            2. TRT Silver badge

              Re: Indefensible

              Well that informed consent would only apply to relationships initiated AFTER GDPR day, and even after that date, when you give informed consent you could have agreed to it for life. You DO get, under GDPR, the right to change that, to say STOP processing my details, erase them, forget about me. But this is still all too new to be tested in law as to what a reasonable period is. I had a quick dig and there's some shocking figure like 90% of customers present as repeat business after periods ranging from 3 years to 7 years since their last purchase from a company, depending on sector.

              I'm far less worried about a name and address and even an email address being retained by a company that I have interacted with, especially where it's a long standing relationship like a telecoms provider or an energy provider or a store for whom I have a loyalty card, than the creeping stuff going on without consent, or where the information is joined up to other stuff.

              One person's interpretation of reasonable might well vary from another's. At the end of the day, GDPR gives ME the right to decide FOR MYSELF when long enough is long enough, and that's more power than I think we've ever had like that.

              1. Anonymous Coward
                Anonymous Coward

                Re: Indefensible

                wrong on many levels. When GDPR came about you could only continue to hold data if it was collected in a GDPR compliant way in the first place.

                PECR was also around before GDPR (not forgetting Data Protection Laws) which also required consent.

                Once GDPR was in place all data had to be processed in a GDPR compliant way regardless of what happened before and when it was collected. Therefore (even if you ignore the previous laws) once GDPR was in place you could not indefinitely store that information.

                There is nothing about reasonableness that needs testing in law. You must hold the data for the minimum amount of time required for the legitimate purposes or reasons that you are currently holding it. You are required to make an assessment of how long the minimum time should be. A customer closes their account, I would suggest 6 months to clear up any outstanding queries with it then delete it.

                "But what about returning customers, with a special offer?". Well that is not a legitimate reason, so if a customer has left, they are no longer your customer wave them goodbye and hope that they may return as a new customer on their own accord whenever they wish.

                1. TRT Silver badge

                  Re: Indefensible

                  "I would suggest 6 months..."

                  You're not quoting any legal definition here, then. Therefore you're making a judgment about reasonableness. So there IS something about reasonableness that needs or could be or will be tested in law.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Indefensible

                    Reasonable is business specific, and the ICO have several sensible examples. I have silly ones.

                    Reasonable if I enter you into a prize draw for a weekend in Skegness, 0 days after the draw, or maybe 0 days after the prize is claimed, in case the winner decides Skegness isn't for them.

                    Reasonable if I sell you an ice cream, maybe 3-4 days (typical incubation period of e-coli).

                    Reasonable if I sell you an inflammable tumble dryer maybe 6 to 10 years in case of a product recall?

                    Reasonable if I sell an infant a widget with a life-time guarantee, maybe 4 score and 10 years?

                  2. Anonymous Coward
                    Anonymous Coward

                    Re: Indefensible

                    "You're not quoting any legal definition here, then"

                    Exactly that is my point there is no test of reasonableness that need defining in law. As an organisation you need to make a valid assessment balancing the rights of individuals against legal requirements and essential needs. If you make that assessment that you are holding it for the minimum amount of time necessary and have informed the users then you are compliant, it doesn't need a court to decide this.

                    If you are holding data for longer just for your own marketing uses then it is not legal. My opinion 6 months would be fine for a customer account, they are free with greater insight to choose a longer period. If their marketing team get involved and ask to hold it for longer than defined purely by legislative or essential need then it is probably illegal.

                    This is the reason why the threshold for a DPO is quite low and they must be completely independent of any department that has a vested interest in the data and must be at a level that can report directly to the board or equivalent.

                2. TRT Silver badge

                  Re: Indefensible

                  OK, I found a legal obligation to keep a record of a contract, such as supply of a service like telecommunications, made in the UK.

                  Section 5 of the Limitation Act 1980.

                  Minimum retention: for the length of the contract or agreement and 6 years afterwards.

                  Not 8 years... but this is a minimum.

                  1. Loyal Commenter Silver badge

                    Re: Indefensible

                    OK, I found a legal obligation to keep a record of a contract, such as supply of a service like telecommunications, made in the UK.

                    The relevant words there are "record of a contract." That's likley to include the fact that the contract exists, and the required indentifying information for the signee (i.e. name, and possibly address). GDPR is also going to limit the uses you can access, and use, that information to those specified in the legal requirement to hold that information in the first place. I'm pretty sure theta wouldn't include using it to verify someone's identity because you have continued to hold other information about them that they (reasonably) want expunged - i.e. an email account.

                    1. TRT Silver badge

                      Re: Indefensible

                      Well, how else do you verify the reasonable request?

              2. jbuk1

                Re: Indefensible

                TRT I would strongly suggest for the good of any business you work for that you go back and learn about GDPR.

                You are incorrect on many of your statements.

                As mentioned, when you provided consent is of no consequence, if the data was not collected in a way that would currently be compatible with GDPR that you are required to reconfirm that consent or destroy any data you hold which is not covered by the legal basis or statutory regulatory requirements.

                You might have noticed the hundreds of emails you had asking you to do this just before GDPR kicked in.

                There is also no such thing as "life long consent" and never has been.

            3. This post has been deleted by its author

    3. Rich 11 Silver badge

      Re: Indefensible

      How on earth do they manage to provide any sort of service?

      Shamelessness and greed.

    4. Anonymous Coward
      Anonymous Coward

      Re: Indefensible

      "The email account was linked to a customer account."

      I think you'll find that actually the email account has never been linked to anything.

      My guess is that new customers have a new email account requested for them, after which the email account operates independently of the customer account on completely separate systems.

      Would be an interesting experiment to check for ways to get new email accounts provisioned externally. I bet its far from impossible.

  13. Locky Silver badge
    Holmes

    TalkTalk in account management fubar

    Colour me shocked

  14. Anonymous Coward
    Anonymous Coward

    Let this be lesson kids and why you do not use the ISP provided email service.

  15. STOP_FORTH
    Joke

    Clue is in name

    TalkTalk seemseem toto keepkeep makingmaking mistakesmistakes. Are they based in Hawaii?

    1. Anonymous Coward
      Anonymous Coward

      Re: Clue is in name

      Mama said No No....?

  16. anthonyhegedus Silver badge

    It should be obvious from looking at the mails sent from that account that they're phishing or spam. But TalkTalk aren't allowed to look in the account, are they, because of privacy, GDPR or whatever. So basically they'll adhere to regulations when it suits them.

    This is the problem with today's legislation: nobody will use any common sense. The least they could do is put a temporary block on it. But it's talktalk - they couldn't give a shit about actually helping someone.

    It's the same with Snapchat. I heard a piece last night on the TV about a man in prison allegedly sending upsetting messages to the family of the boy he killed, from prison, via snapchat. Will snapchat pass details to the police? Will they fuck! No, they're hiding behind some 'American legislation' that'll take too long to process.

    The sad fact of the matter is that these large companies like Facebook, Snapchat and TalkTalk are not really doing enough to prevent criminal activity. Facebook merrily let scammers selling stolen MS Office 365 IDs advertise on facebook every single day for example. It's plainly obvious to me that it's dodgy. So why can't facebook just call Microsoft, get them to investigate and close down anybody advertising cheap Microsoft licences? The basic answer is greed. They don't want to spend time or money that will ultimately result in them losing more money.

    It's time legislation changed. These social networks and email providers have a duty and they're clearly unable to regulate themselves. The only solution as I see it is intense government regulation. If the UK government can come up with a nobody-really-wants-it government universal porn filter, then they can damn well come up with something to control email providers and social networks.

    1. STOP_FORTH
      Trollface

      New legislation not required

      Surely it's about time these companies were prosecuted under the Proceeds of Crime Act 2002? Similar legislation exists in other countries. Maybe, if they won't pay taxes they might be prepared to pay fines. Or we could start chucking them in chokey?

      Pity they didn't do this when all the counterfeit tat started appearing on eBay. Might have been a useful example to others?

    2. Korev Silver badge

      A friend is a cop, they have encourage victims of harassment on social media to take a screenshot as it takes months and a lot of effort to get the data.

    3. Anonymous Coward Silver badge
      Paris Hilton

      The government devised porn filter is yet to be proven effective. I wouldn't use it as an example of "see, they can do it" because within about 3 seconds of it being deployed, it'll be bypassed.

      OK, it's probably the same in the social networks will manage to skirt around any equivalent law, but that's presumably not the point you were trying to make.

  17. silks

    BREAKING NEWS: Talk Talk Are Rubbish

    TalkTalk are rubbish, that's all.

    1. TRT Silver badge

      Re: BREAKING NEWS: Talk Talk Are Rubbish

      I quite liked "It's My Life".

  18. Oliver Mayes

    I've got an ongoing similar problem with Virgin. I used to have an old blueyonder email address on my parents account from the days when I lived with them.

    Haven't touched that account for years, assumed it was all closed down. But recently it suddenly came back to life and I'm getting thousands of bounced spam emails that are being sent from it. The emails are the standard nonsense, but they all have my old email address and it's password in white text at the bottom. So it seems they somehow brute forced it (or that old account was in one of the hundreds of leaks over the years). Luckily I don't use that password for anything any more. But Virgin don't want to hear anything about it. It's not my account, so I can't ask them to close it down.

    1. anthonyhegedus Silver badge

      And Vermin can't see that it's an account only used for sending spam and it was linked to a customer account that no longer exists? Same story, yes, as WankWank. It's easier to just leave it running than to even think of suspending it!

      It really is high time that we had some sensible rules about using common sense. Just because there isn't a policy for something doesn't mean that a decision can't be made!

  19. TheProf
    Unhappy

    TalkTalk are updating their email system

    I know as they keep emailing me about how wonderful the new system will be.

    If only I hadn't left them 3 years ago.

    One problem I had when I left them was that I couldn't log into my TT account, to request a refund, as I wasn't using a TalkTalk land line.

    I look forward to being used as a beard in future scamming and extortion acts.

  20. Peter Gathercole Silver badge

    Had a similar problem with Virgin

    I moved away from Virgin (just a dial-up and then ADSL account, not TV or cable), but my email address was still active for over a year after the account was closed.

    Got to the point where their webmail portal was not accessible, but my fetchmail POP3 scripts still worked both picking up and sending mail.

    Even though the account was supposedly closed, it was still used to send spam out after Virgin leaked the details in one of their data breaches (mail address and password), and it was also used to hijack my facebook account (which I did not notice because I don't actually use Facebook hardly at all).

    When I tried to get them to take action, all I got was the "Sorry, you're no longer a customer" spiel, although the mail address was eventually shutdown even for POP access.

    1. TRT Silver badge

      Re: Had a similar problem with Virgin

      Virgin shuts down inactive email accounts after 6 months. Even if you are still a customer. As I found out when I reinstalled the OS and everything on my laptop and forgot to add the account in to the email client. So when I stopped checking the mailbox they closed it off with no possibility of reactivating it. And why is that important? It's the address I had nominated for various service and account announcements which suddenly became important when they did something I didn't like and was told "well... we DID warn you." When I went back to check... yup... no access.

    2. John Brown (no body) Silver badge

      Re: Had a similar problem with Virgin

      IIRC, Virgin.net were the people doing ADSL and were subsumed into TalkTalk. What is now VirginMedia was the NTL:Telewest borg and not related to Virgin.net.

  21. adam payne Silver badge

    TalkTalk has refused to delete a former customer's email address which was taken over by spammers – because the unfortunate person cancelled their contract eight years ago.

    Internal house keeping processes should have taken care of this account long ago.

    Nor had it explained why a customer account that had been inactive for eight years wasn't deleted after the customer walked away.

    Would the GDPR right to be forgotten request include the mailbox?

    1. TRT Silver badge

      Not the mailbox, per se. Just their use of the address. Which opens some interesting possibilities.

      1. ibmalone Silver badge

        Surely the ISP don't know whether the mailbox itself contains PII though? They can hold it to fulfil a contractual relation (keeping the customer's mail), but once that contract is over they probably have to get rid of it for that reason if no other. (Probably some grace period is reasonable, 8 years is quite a lot of grace.)

        1. Roland6 Silver badge

          >Surely the ISP don't know whether the mailbox itself contains PII though?

          Well given when these systems were set up, it would not surprise me if the mailbox storage was in plan text and thus fully readable by the ISP....

          1. ibmalone Silver badge

            I was guessing they'd be able to read it, but to find out if there's any PII they'd have to actually read it, something of a catch 22. Schroedinger's enforcement notice.

    2. Anonymous Coward
      Anonymous Coward

      Please note that under the GDPR, personal email addresses are now classed as Personal Data.

      Let the fun begin!!

  22. NanoMeter

    Such a shame

    Such a shame

  23. Just Enough

    ridiculous advice

    "never to open unsolicited attachments unless you know the sender and are expecting their email."

    I've always thought this a ridiculous advice. So if I want to email a friend, I have to first phone them to tell them to expect it? If I email invites to a surprise party, my friend should ignore it because they weren't expecting me to email them about a party?

    Not exactly practical and not going to happen.

    1. Korev Silver badge

      Re: ridiculous advice

      I get 5-10 attachments per day in my work email*, oddly enough I don't ring the sender each time.

      *This is despite having O365 and being massive SharePoint users

      1. doublelayer Silver badge

        Re: ridiculous advice

        If you're sending me a party invitation by attaching something to an email, you might want to look at doing something else, as that certainly looks suspicious and I doubt I'd be opening that.

        In most cases, the sender will include information in the message body about the attachment and why it's there. It's not that unreasonable to read this information closely and follow up with the sender if there is confusion, and many malicious attachments are somewhat easy to spot. Whenever there is doubt (did they really want to send me a random .pdf when the message simply says "Could you take a look at this?"), it's worth checking in, if only to determine what they want me to do with this if they did intend to send it.

  24. x 7

    Actually an AOL account?

    Won't it actually be a talktalk branded AOL account? She may do better by asking whoever now runs AOL to close the mailbox

    1. Fred Dibnah

      Re: Actually an AOL account?

      If she doesn't know who runs AOL, she could do a search on Altavista...

      Sent from Windows for Workgroups 3.11

      1. John Brown (no body) Silver badge

        Re: Actually an AOL account?

        Yeah, I tried that. It took me to a Geocities page full of marquee tags and "Under Construction"! tape :-(

  25. Portent

    I once had fun with Talk Talk...

    A number of years ago my broadband provider was taken over by Talk Talk. I received a nice letter from them welcoming me. They then managed to completely forget I was a customer. I wasn't billed for two years but I was stuck on a really slow connection. I couldn't upgrade it to a faster line because Talk Talk said I wasn't their customer. I couldn't leave Talk Talk because whenever I tried the new ISP said there was a Talk Talk marker on my line and I would need the leaving code. Talk Talk wouldn't give me a leaving code because they said I wasn't their customer. I was stuck on 2mbit for years. While many would say it was great not being billed I needed the line for work and it would stop working randomly several times a week. Of course Talk Talk ignored me when I reported the problem because they said I wasn't a customer.

    I only managed to get it sorted when I raised a complaint with OFCOM.

    1. Andy Non

      Re: I once had fun with Talk Talk...

      Before the split with BT and OpenReach, I had a related issue with BT at one property we moved into. I phoned BT and asked them to make the phone line live in the property, but they said the property had never had a phone line into it. I explained that there was a telegraph pole outside with a line coming into the property into a BT master socket. It even had a continuous tone indicating it was hooked up. But no they said, our property wasn't even on their records, was it a new build? No, it was around 80 years old! Anyway, they booked an engineer to install a phone line.

      He arrived expecting to run cable etc but was surprised to see we already had a BT line. A few tweaks and we were up and running.

      In my experience all telecoms/internet providers rate on a scale between very incompetent to moderately incompetent. And I've dealt with most of them over the years.

      1. Wilseus

        Re: I once had fun with Talk Talk...

        This reminds me of an experience I had with NTL/Virgin. It was a long time ago, the early 2000s I think, so I can't remember the exact details, but I do remember that I had telephone, BB and TV with them. But for some reason I had two separate bills/accounts, one for TV and Broadband, and one for phone, the latter of which didn't actually exist on their system, yet I was being billed for, but the main problem was that both of them were billing me for line rental.

        They wanted me to pay by direct debit payments, which I refused to do until they fixed the issue, so as retaliation for not paying by DD, they charged me a £10 admin fee every month. And every month I'd phone them up and demand that they fix the issue, which they always didn't, and that they remove the £10 charge, which they always did.

        I couldn't leave, because a) I was scared that they'd forget about me and I'd never get my line rental refunded, and b) I couldn't move to another provider because of the telephone line with that wasn't on their system.

        I think this went on for about a year until I spoke to someone who actually knew what they were doing and they fixed the issue there and then.

        I left them after that and went to Sky which I have never had any problem with.

      2. Woodnag

        Re: I once had fun with Talk Talk...

        I had similar fun after building a new house on a old lot, demolishing the old house. It used to have POTS, and so it was easy to start a new account. However, the line to the house was dangling in the air by the fence, and obviously needed to be terminated to the house. However the phone company insisted that it was connected... and finally did the install after I managed to email the rep a picture of the dangling cable.

  26. Franco Silver badge

    Not even surprised

    I appear to have developed a callus over the part of my brain that experiences any sort of shock when an ISP fucks up and then says it's not our problem.

    In days of yore when I worked for an IT outsourcing company that looked after small business customers, we partnered quite often with a telecoms company when clients needed phones. They in turn obviously got kick backs from TalkTalk for referring clients, as most of our joint clients went with them on the telecoms company's recommendation. Any time you ever phoned them it wasn't TalkTalk's fault, either it was Openreach or "you aren't using our modem so we can't help you"

    1. Korev Silver badge

      Re: Not even surprised

      In Britain, most people base their choice of ISP on the basis of cost and not customer service or reliability. I guess the ISPs run on an incredibly tight shoestring, although some are worse than others. The ISPs on here that get recommended often eg Zen or A&A are more expensive for a reason.

      1. David Nash Silver badge

        Re: Not even surprised

        That's true and you can't blame them because there are periodic articles about how we should all be switching all the time, Money Saving Expert etc. giving league tables of "look how cheap this broadband is".

      2. Franco Silver badge

        Re: Not even surprised

        True, I use Origin and whilst they aren't the cheapest I've had no issues at all.

  27. jamm13dodger

    While I'm not a fan of Talk Talk.....

    it didn't take a great deal of searching to find this https://community.talktalk.co.uk/t5/Articles/Access-information-we-hold-on-you/ta-p/2204726

    Maybe a request for "Right to Erasure" would do the trick?

    1. Roland6 Silver badge

      Re: While I'm not a fan of Talk Talk.....

      >Maybe a request for "Right to Erasure" would do the trick?

      But requires "two forms of valid ID" - suspect this is what was being asked of Joanne.

      Interestingly, I note from the report of Daniel Gibbs investigation that clearly Joanne had simply "walked away" from the account all those years ago; otherwise, the addressbook would have been empty as would have been the email folders. I would hope that Daniel did clean out all the personal information.

      1. jamm13dodger

        Re: While I'm not a fan of Talk Talk.....

        not impossible I suppose but most people can find two of these;

        Birth certificate

        Driving licence

        Passport

        Utility bill (not from TalkTalk)

        Credit or debit card statement

        Council tax bill

    2. Gonzo_the_Geek

      Re: While I'm not a fan of Talk Talk.....

      You wouldn't do that to your worst enemy, the very worst of late 80s/early 90s copycat synth.

    3. TRT Silver badge

      Re: While I'm not a fan of Talk Talk.....

      I'm not sure if I prefer Sometimes to It's My Life. ... Mmm... Yes. Yes I do prefer Sometimes.

  28. Irongut

    If spammers are sending email to this woman's friends then her dead email account must include their email addresses. So she didn't delete her address book and old emails before cancelling her TalkTalk account? I'd say a large portion of the blame lies with her and her poor infosec practices.

    1. doublelayer Silver badge

      Victim blaming. It's wonderful, isn't it? The ISP didn't cancel the account or delete data when they were required, and someone else managed to get in and start spamming without assistance of the original account holder and despite their attempts to stop it, but yet it is the original person who is to be blamed for this?

      1. Roland6 Silver badge

        >The ISP didn't cancel the account or delete data when they were required

        When was it that the ISP was 'required' to do something? Yes, Joanne cancelled her contract, but what exactly had TalkTalk committed to do in the event of an account termination?

        From what I can see, prior to GDPR there was no real requirement for the ISP to delete data, it is only post-GDPR becoming law that the ISP now has real legal obligations over the retention of personal data, particularly if it relates to ex-customers.

        >someone else managed to get in and start spamming without assistance of the original account holder and despite their attempts to stop it, but yet it is the original person who is to be blamed for this?

        Whilst we don't know if her password was something trivial and so easily compromised, we do know that she had not cleared her mail folders and addressbook and so does carry some blame for her contacts receiving personalised spam from this account.

        What is clear from this case is that people's expectations about their online accounts and what providers actually do, are often very different in reality.

        However, GDPR does start to bring the real world into line with users expectations. but even this, it is good practice to clear down online accounts that you are about to terminate, just like it is good practice to clear the memory of your phone/computer before resale. Note I'm not saying I always follow good practice, just that I accept the blame when I don't and it comes back and bites...

        1. doublelayer Silver badge

          GDPR came into force almost a year ago. They're subject to it now, and it requires them. That is assuming their contract doesn't say something about account closure, which many do in order to indemnify the company when they delete users' data after accounts are closed.

          Once again, blame is not the correct way to deal with an account compromise. Whether the password was bad or not, the client did not take an action with the intent of allowing an attacker in. Yes, there are good practices that would have helped here, but not following every good practice does not automatically make any problem someone's fault.

          In that case, I could come to your house, find a place where you have been too lax with your security, and blame you for the fact that I broke in. Should I do that, the blame for breaking in belongs only to me. Good practices mean that it is less likely that I'll be able or inclined to break in, and as such benefit you because you don't have to involve law enforcement. You may have entered a contract with an insurance provider that requires you to follow certain practices in order to get benefits. Still, I am not rendered innocent if you forgot to lock your door.

          1. Roland6 Silver badge

            >I could come to your house, find a place where you have been too lax with your security, and blame you for the fact that I broke in.

            Well... If there is no evidence of forced entry both the law and insurance companies take an interesting stance - hence the problems associated with getting squatters evicted...

            >GDPR

            This does make this case interesting, as effectively it does require service providers to do a fuller investigation of their IT systems than the readily accessible records (ie. the customer account system's records) indicate. Mind you. I am a little surprised that TalkTalk haven't done a reverse check (email account to customer account) to help in the process of clearing out legacy - even if the legacy has been VM'd.

  29. Hollerithevo Silver badge

    This has been my recent hell!

    I have just finished a long correspondence with TalkTak on exactly this. I closed my account a zillion years ago (a Tiscali account) and yet the emails kept coming in and were active. I could not close this down because i no longer had an account. I wrote, once spam started pouring in, to get talkTalk to close it. They needed proof of identity, which I gave them. I chased, they kept asking me for the same proofes. I kept giving it to them. I then expostulated. They said I could go through the 'right to be forgotten' and I would ahve to send passport etc. I explained that this is not what I wanted -- I just wanted the email closed.

    They then said that they had updated and changed quite often and that they no longer knew what was on their servers, and so couldn't identify any account. I am not kidding.

    I was about to go to the Regulator, or to my lawyer. Now I am going to send TalkTalk a link to this story, and I suspect magic will finally happen.

  30. Stevie Silver badge

    Bah!

    This all boils down to "Rule One: so many previous mistakes that no latitude whatsoever is allowed to staff below a certain level" (and good for them for that - would that my bank representative had not had the latitude to allow A. Person to change my mother's maiden name on my account some years back) and "Rule Two: no-one at the right level is to be bothered by piffling ex-customer problems" which is where the wheels fall off.

    1. TRT Silver badge

      Re: Bah!

      Ha ha. Spot on.

  31. Anonymous Coward
    Anonymous Coward

    Not to dissimilar to Sky.

    I was a sky tv and internet customer a number of years ago. When I left i still had the use of their email which is hosted by Yahoo.

    Ok, unlike Talk Talk I can edit my password but it did surprise me to learn that i still did indeed have access to this email account. I would have expected it to be terminated when my contract with Sky ended.

  32. Anonymous Coward
    Anonymous Coward

    Utter horse dung

    This happened to a family member and the only way to solve it after they tried for 3++ years was my contacting them and threatening legal action.

    Scum.

  33. mrcrangle

    Same issue here...

    Like other posters on here, I've had a very similar issue with TalkTalk...an old dial-up Lineone email address was hacked, and the first I knew about it was receiving emails from that account with dodgy links/attachments in them. Maybe I was not especially thorough in clearing out the old account but the password was fairly secure and like others here, I can still access the account but not change the password. Whoever now logs in to the account seems to spend their time creating Epic Games and Amazon accounts.

    A phone call to TalkTalk obtained me nothing more than a curt (borderline rude) response that they could do nothing as they no longer support email addresses like Lineone or Tiscali. I found others had been helped on TalkTalk's support forum, so posted on there. Like Joanne, I was pointed to the 'right to forget', but this involved sending a company that seemingly hasn't kept my data safe proofs of identity, so I wasn't keen. I've been able to persuade the forum administrator to send my details over to the relevant team at TalkTalk to contact me and change the account password but so far, no contact from said team. I can't fault the guy on their forums but everything else seems to be fairly shambolic. I've prodded TalkTalk by posting a link to this article and we'll see what happens next.

    Thanks, Register, for raising awareness of this issue.

  34. Jamie Jones Silver badge

    I had a similar thing happen with a certain online payment merchant....

    A few months ago, I managed to snap up a domain that had expired. I do not feel guilty about this, because the domain was originally mine, and I lost it when I was in hospital a few years ago.

    So, I got my domain back, set up the email address, a few days later I got an email saying I'd been sent $100 - a few days later another one. I initially thought it was spam, but with further investigation,discovered it was legit, and belonged to someone who had been using the email address last year.

    I logged into the website, entered the login id (helpfully contained within the emails!) then hit 'forgot my password' and sure enough, received a 'reset my password' link in my email.

    I didn't go any further, but sent an email to the customer services telling them I have access to this bank account, it's not mine, and please cancel the email address..... The reply was that as I was not the owner of the account, I couldn't authorise an account change! I then replied that if I decided to clear the account out, it wouldn't be good for PR, and got a reply saying the problem had been sorted. It hadn't. For the next week I kept receiving receipts, until I ended up manually blocking the address my end.

    ... just checked the mailog, a delivery from them was attempted yesterday.... this could be an el-reg scoop!

  35. Jamie Jones Silver badge

    "Never open.... unless you know the sender"

    Easy enough for me, I still use mailx as my primary email reader, but have you seen how hard it is these days to verify an email address with most "email apps" these days?

    Forget seeing envelope senders, or mail headers, some systems don't even show the email address from the DATA header (just showing the 'real name')

    I remember being shown how to spoof the email address by talking directly to the mail server back in 1989.. And now, 30 years later, it's even more difficult to tell such spoofing is occuring

  36. chuBb.

    Is it me, but thanks to the update shes a more specific joanne...

    Just noticed the update from talk talk, seeing as no surname was mentioned through out the article just joanne, they refer to a Ms Thompson, guess they cant help them selves but to keep leaking customer info..... (although perhaps el reg could have noticed that and redacted the response appropriately...)

  37. BT Customer

    BT also failing to delete email addresses after customers leave

    I left BT a year ago (oh bliss!) but all my email addresses stayed active despite my repeated attempts to delete them using portal, online chats and phone calls. My BT logins still work, my BT IDs still work, and while I've managed (eventually) to silence 8 sub addresses, the old primary is undeletable. BT are totally useless at responding to repeated requests to deal with this. 13 months on and the primary btinternet.com address is still fully active, receiving, forwarding and able to send emai using either pop3/smtp or webmaill. And of course - hackable (it's a btinternet.com address on the much hacked Yahoo!/Oath platform). After 12 months I finally lost patience. I made a subject data access request giving BT details of all my logins and IDs and asking for a full dump of my data. I got a very very partial dump which ignored most of my logins and email addresses that were still visible on the customer portal. I then sent the whole complaint to ICO and yes, they have failed under GDPR and there are just a few days left to the deadline ICO gave them. As Mrs May is wont to say, "nothing has changed" - it's all still active and they still haven't sent me my data.

    If you have recently left BT - do make sure that they delete/inactivate your address and make a subject data access request to see what they "think" they hold on you. They probably won't be able to comply. Then shop them to ICO. If the ICO get a LOT of complaints about these incompetent ISPs then maybe at last they will issue some eye-watering fines that are big enough to dent their bottom line. Because they haven't done that YET despite some fairly major breaches by the likes of BT and TalkTalk and of course, Yahoo UK&Ireland/Oath.

    1. Roland6 Silver badge

      Re: BT also failing to delete email addresses after customers leave

      > My BT logins still work, my BT IDs still work

      Well, a good way to lock the BT account is to do a series of failed logins (mistype the password), it will get to a point where the only way to unlock is to call BT and for them to send out a letter to the registered account address...

  38. gnarlymarley

    report spam

    Solution is simple. Just have all recipients report the spam. If they use a reporting service such as http://spamcop.net, then talk-talk will be forced to deal with the problem or else face a possibility of being put on multiple email black lists. This should get some action.

  39. MrMerrymaker

    So many here have the same issue

    Why don't you all file a complaint and send a real message to Talk Talk?

    He says, optimistic.

  40. Anonymous Coward
    Anonymous Coward

    It started with talktalk

    Just imagine an NHS run by the big cheese of talktalk. Talk of opening of patient data for sale to large companies and free too! Watering down of data security requirements. An IT workforce increasingly paid a pittance compared to their private sector colleagues... sounds crazy, right?

    Wrong, Dido is looking to 'redesign' the NHS around her failed talktalk.

    How Tory Dido is even allowed to run a company stilll.. ow wait.. yeah, she's a Tory politician. Government is Tory. Both hate the NHS and anything beyond their personal own self-interest.

    Spam from obselete talktalk email addresses is just another success milestone for dear Dido.

  41. Anonymous Coward
    Anonymous Coward

    Security Worst Practices

    Have contacted the ICO after being asked for 2 of the letters of my password by TalkTalk in order to close an email account I haven't used in years. They've been sending emails to inform me of their new email system though why I would be interested I don't know. I refused to send any of the documents (birth cert, driving licence etc) to them given their history of data protection. In response one of the things they asked for was the 3rd and 6th letter of my password. I'd have thought passwords should be encrypted?

    1. Roland6 Silver badge
      Joke

      Re: Security Worst Practices

      >I'd have thought passwords should be encrypted?

      They are; your password is the 3rd and 6th letter of the password you use; all the other characters are just cryptographic camouflage.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019