Privacy concerns

Xcellor

I was recently checking my usage information for my ISP and while doing so inadvertantly discovered a bug on their site that allows access to any customer by guessing the customer ID. Upon doing this you can access all customer phone records + other sensitive information. It even allowing modification of account details.

Just wondering who to contact. I don't want to be accused of hacking because this was simply a typo that made the difference... Would it be better contacting data protection?

JDxtra

Let the company know in writing (email is fine). Then, if they don't fix it fairly sharpish consider reporting it to the Data Protection Commissioner and maybe even the press.

I'm tired of big organisations having poor security around personal customer data and there is simply no excuse for it these days.

FruitLover

I wouldn't pussy-foot around - bear in mind that you are a potential victim here. I'd let the ISP know in no uncertain terms my dissatisfaction in their (lack of) security here, and intent to inform the public (not just the DPC) if this product of laziness isn't corrected post haste.

Black Swan

It's an ISP zero day, so move quickly, as everyone is vulnerable.

hello932

Xcellor wrote: »

I was recently checking my usage information for my ISP and while doing so inadvertantly discovered a bug on their site that allows access to any customer by guessing the customer ID. Upon doing this you can access all customer phone records + other sensitive information. It even allowing modification of account details.

Just wondering who to contact. I don't want to be accused of hacking because this was simply a typo that made the difference... Would it be better contacting data protection?

Can you elaborate on this? Cos it sounds like you would have to brute force dictionary attack the user accounts passwords first before getting access.

thefinalstage

Xcellor wrote: »

I was recently checking my usage information for my ISP and while doing so inadvertantly discovered a bug on their site that allows access to any customer by guessing the customer ID. Upon doing this you can access all customer phone records + other sensitive information. It even allowing modification of account details.

Just wondering who to contact. I don't want to be accused of hacking because this was simply a typo that made the difference... Would it be better contacting data protection?

This is a very serious security hole. Inform the ISP immediately. If nothing is done within 7 days contact the data protection commission.

There are 2 schools of thought on releasing this info to the public.

1. If it is made public there will be a lot of pressure on the isp to sort it out.

2. if it is made public it puts people at a much higher risk of it occuring.

Gillo

thelastangryman wrote: »

This is a very serious security hole. Inform the ISP immediately. If nothing is done within 7 days contact the data protection commission.

There are 2 schools of thought on releasing this info to the public.

1. If it is made public there will be a lot of pressure on the isp to sort it out.

2. if it is made public it puts people at a much higher risk of it occuring.

If nothing else it'd be reckless to release the information, contact both the ISP and data protection commisooner. Bare in mind that while you may have accidentally come across this knowingly using it to access other peoples information would be a very serious offence.

Xcellor

Gillo wrote: »

If nothing else it'd be reckless to release the information, contact both the ISP and data protection commisooner. Bare in mind that while you may have accidentally come across this knowingly using it to access other peoples information would be a very serious offence.

Yep I will contact ISP. It seems the problem is worse than I though, you dont need to log in i.e. any person who gets the link can access details.

Exclamation Marc

thelastangryman wrote: »

This is a very serious security hole. Inform the ISP immediately. If nothing is done within 7 days contact the data protection commission.

There are 2 schools of thought on releasing this info to the public.

1. If it is made public there will be a lot of pressure on the isp to sort it out.

2. if it is made public it puts people at a much higher risk of it occuring.

I agree with this, but I wouldnt wait 7 days, I'd more so wait 2 days considering how sensitive the information has been implied to be.

To be honest, I'd go straight to the Data Protection Commissioner, as the customers have a right to know, and you never know, the company you are dealing with might try to sweep it under the carpet.

snappieT

I noticed something very similar last year for PAC (the postgraduate version of CAO), where you could see everyones's personal details and accept/reject offers for course they had applied to.

Contacted the Data Protection Commissioner straight away, they got in touch with PAC and it was fixed within 2 days.

El Camino

Xcellor wrote: »

Yep I will contact ISP. It seems the problem is worse than I though, you dont need to log in i.e. any person who gets the link can access details.

Well have you had any response on this one yet from the ISP?

Xcellor

The issue was dealt with prompt enough. The next day. Not really happy with this response though.

"Hi X,



Many thanks for sharing this information and I appreciate your concerns.



We have been making a large number of changes to our site over the last few months due to changes in banking procedures



We are also on the verge of launching a brand new site based on more stable and proven technology



The glitch you have identified was due to security measures being disabled for testing purposes on the statement page and a delay in re enabling these security measures. This was amended this morning and I would appreciate your feedback that this is now resolved.



Regards
ISP management"

They disable security measures on live customer databases and then to make it worse leave the security off... I replied back expressing my shock at such a practice, never got a reply back (5 days ago.). The actual bug has been present for over a month at least I noticed the issue ages ago but thought it was just random values I was getting, wasn't until I was in the account details that I saw other persons name.

Anyway the issue is resolved now. It really doesn't seem that they took it that seriously unfortunately...

X

the_syco

Xcellor wrote: »

Anyway the issue is resolved now. It really doesn't seem that they took it that seriously unfortunately...

X

Hrm. Let it slip to the broadsheets?

Sponge Bob

It would be quite in order to say who it was IF they have fixed it, their other customers have a right to know that their data could have been accessed too.

There have been no 'banking changes' this year , you were simply fed a load of BS there by some CS manager type.