ISP Emails Customer Database To Thousands 259
Barence writes "British ISP Demon Internet has mistakenly sent out a spreadsheet containing the personal details of more than 3,600 customers with one of its new ebills. The spreadsheet contains email addresses, telephone numbers and what appears to be usernames and passwords for the ebilling system. It was attached to an email explaining how to use the new system. Police forces and NHS trusts are among the email addresses listed in the database. A spokesman for Demon Internet confirmed that the company "was aware this happened this morning"."
They shouldn't even have the passwords (Score:5, Informative)
I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!
Also "the company introduced a different ebilling system some months ago, but returned to paper billing following technical difficulties". Who hasn't managed to implement an ebilling system by 2009? Especially an ISP. They must be truly incompetent.
Re:To err is human... (Score:4, Informative)
A lot of their customers will be Dear Old Ladies who call their ISP when they have lost the little bit of paper their daughter wrote the password on. You don't want to give them a new password at that point because their daughter isn't around to write it down again. And in practice, the password isn't protecting anything of value anyway.
Re:Free market will fix this (Score:4, Informative)
Demon, once upon a time at least, was a VERY good ISP (ex-customer and I don't recall leaving them due to dis-satisfaction, I think it was the move to ADSL which prompted the switch).
Anyways, http://forums.thinkbroadband.com/ [thinkbroadband.com] is a good place to get real user feedback on ISPs. Somewhat strangely there are 666 new posts for Demon (I kid you not). I personally am unable to recommend any ISP though. Clara.net shafted me for £100 years ago when their channel bonded ISDN service just wouldn't work for me so I'd recommend you avoid them like the plague; Nildram used to be GREAT but apparently have been taken over by talktalk and users don't look happy; and personally I'm currently stuck with Virgin who routinely cause my blood pressure to rise but because they offer the best speeds blah blah blah.
On the business side I'll say that NewNet and Spitfire have done what they say on the packet overall.......
Anyways, yes, if someone finds a decent ISP let us know please.
Another reason... (Score:3, Informative)
Re:They shouldn't even have the passwords (Score:2, Informative)
Ummm. Where I work spreadsheets are called "databases".
But surely you don't have an ebilling login system trying to look up passwords in an excel spreadsheet? Or even an MS Access database? Although maybe Demon Internet does, given their extreme lack of clue.
(and spreadsheets aren't databases, you can't write SQL queries against them)
Re:Free market will fix this (Score:1, Informative)
Then they got bought by THUS and, well...you can read the story for how that worked out.
Anyone else with horror stories with Demon? (Score:4, Informative)
Passwords are needed - CHAP (Score:5, Informative)
I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!
While having it in an excel document is unexusable, there is a real reason why password are stored as plain text, and I hated it as a sysadmin. Look up CHAP vs PAP authentication... Basically, PAP sends the password in plain text across the wire from the modem server to the radius server, which can then look up the salt, hash it, and then verify the password.
However, since this means sending passwords in the clear, most modem concentrators (most ISP's resell for a handful of large telcos that operate the modems nowdays) prefer to use CHAP, which hashes the password with something at the terminal server and sends both to the radius server. In order for the radius server to authenticate the session, it must have access to the original plain text to hash with the provided salt. Thus, the ISP must store all passwords in plaintext somewhere.
That said, it should be stored in a hardened and dedicated server that only handles the storage (sql or ldap) and the radius server. Any billing interaction should only be to update the password, never to read. And it should never be put into a excel or word doc!
Re:To err is human... (Score:5, Informative)
Unfortunately, that's not the case. CHAP authentication requires cleartext passwords to be stored. See my other post [slashdot.org]
Re:Free market will fix this (Score:3, Informative)
Re:Free market will fix this (Score:1, Informative)
"Standard practice is that NOBODY, not even sysadmins can see it."
Damn, I guess I won't mention which big webhosting company I just stopped working for then...but suffice to say they just merged with another big webhosting company... fellow slashdotters, if you have webhosting at a large hosting company that has recently undergone a merger, and you value the secrecy of your passwords, tread carefully.
Re:Free market will fix this (Score:1, Informative)
There are quite a lot of ISPs for DSL in the UK, if you can get BT DSL then you can get the competition. There is a range of small-large ISPs which gives the UK a pretty good selection.
http://www.dslzoneuk.net/isp_ratings.php
Re:Notice the words carefully... (Score:4, Informative)
intent.
A hacker didn't accidentally get into a system,
I wonder... (Score:2, Informative)
Re:To err is human... (Score:3, Informative)
Which is why a CHAP password is not a unified billing password.