According to PCPro, an ISP in Britain while sending an email to its customers with instructions for a new billing system, inadvertently attached a spreadsheet containing records on 3,600 of its customers. The details contained in this spreadsheet were the customers full name, email, address, telephone, business name, and two rows without headers remarkably similar to … usernames and passwords.
Wait, passwords? No, seriously, are you kidding me? PASSWORDS???
The mind boggles. I honestly don’t know where to begin. It is a sin against sins in any level or field of I.T. to store passwords in a manner that is reversible. Storing them in plain text however, a format which doesn’t even need reversing … it’s just … you see … I mean … GAH!
To put this in to context, my feelings about this, the affect these events have on me, just imagine if you will a respected university giving the head of the biology/history/geology (or all three combined) department job to a fundamentalist young earth creationist.
To top this off, the official cherry on top for this whole story for me was one line towards the top of the article. “Demon is refusing to disclose how many customers have received the spreadsheet, although it says it’s less than a few thousand”.
Well, I guess as long as it was under a few thousand people that now have the logins for a billing systems to police forces, NHS trusts, government officials then there’s nothing to worry about at all. *rolls eyes*
They have shown themselves to be horribly irresponsible and beyond amateurish in their methods. I hope that at the very least they don’t display full bank account/credit card numbers for the clients in the billing system. Hiding such information is what any business with an iota of responsibility does – but then again so is not storing passwords in plain text or reversible manners.
This also brings me to another topic I want to talk about – disclosure laws. The US and UK both have them, and we hear stories of data leaks every other week from both of these countries. The story above wasn’t discovered through the laws but because a recipient of the list went to the media. Here in Australia, there are no such laws. It often makes me wonder just how many data breaches do happen here that we simply don’t find out about.
The topic did come up six to twelve months ago in numerous IT news publications, but to my dismay it was shrugged off by saying those kinds of leaks didn’t happen in Australia so such laws weren’t really needed. Well, without such laws how would we know? To my knowledge there’s no body that such leaks are to be reported to for tracking either. The Australian public is kept in the dark, ignorant. Something I am not too fond of.\