WARNING: Eircom broadband users. Your personal information may not be secure

Krunchie

Yesterday I noticed that my broadband usage was showing the incorrect stats. On closer examination I noted that the broadband usage meter was actually giving me someone else's stats. I had not attempted to login or out or the usage meter and this simply happened after booting up my laptop


I contacted broadband support by telephone and the person I spoke to knew very little about how the usage meter worked. I had to provide that information. It's always a bad start when the person who is supposed to be providing support knows less than me.


The agent also failed to grasp the seriousness of the problem. If I have access to someone else's details then another person may have access to mine and this problem could be widespread. The information provided could be used to gain further information allowing a malicious person to gain very priviliged information about an eircom customer. I explained to the agent that this is a very serious data protection issue and that this places eircom in breach of their obligations under data protection legislation and potentially places all customers at risk.


Unsurprsingly I got nowhere on this phonecall. I'm posting this here so other users can know of the dangers. Next step will be Comreg or the data protection commissioner to lodge a formal complaint.


Best Wishes,
Barry

dillo2k10

Something like this happened to me with norton 360.
When I logged into my account my details were not there. Someone elses name, address, phone number, credit card. This happened 7 times. I contacted all of the people who's details I was given and 3 of them told me that all of my details were in their accounts.

jor el

Krunchie wrote: »

If I have access to someone else's details then another person may have access to mine and this problem could be widespread. The information provided could be used to gain further information allowing a malicious person to gain very priviliged information about an eircom customer.

What information is actually available on the eircom stat-meter though?

Krunchie

jor el wrote: »

What information is actually available on the eircom stat-meter though?

Not much but that information could be used in turn to get sensitive info. I phoned the person whose details I had to let them know. I knew their name, account details, download capacity, how much they'd used etc.

If I was a malicious person I could have told that user I was from eircom and used the details to back me up and possibly persuaded them to give me further data. I could also have contacted eircom and claimed to be the other person

Also if eircom aren't keeping this information secure how confident can we be that the rest of our details are being held securely

thefinalstage

Krunchie wrote: »

Yesterday I noticed that my broadband usage was showing the incorrect stats. On closer examination I noted that the broadband usage meter was actually giving me someone else's stats. I had not attempted to login or out or the usage meter and this simply happened after booting up my laptop


I contacted broadband support by telephone and the person I spoke to knew very little about how the usage meter worked. I had to provide that information. It's always a bad start when the person who is supposed to be providing support knows less than me.


The agent also failed to grasp the seriousness of the problem. If I have access to someone else's details then another person may have access to mine and this problem could be widespread. The information provided could be used to gain further information allowing a malicious person to gain very priviliged information about an eircom customer. I explained to the agent that this is a very serious data protection issue and that this places eircom in breach of their obligations under data protection legislation and potentially places all customers at risk.


Unsurprsingly I got nowhere on this phonecall. I'm posting this here so other users can know of the dangers. Next step will be Comreg or the data protection commissioner to lodge a formal complaint.


Best Wishes,
Barry

Update your usage meter to the latest version and the issue will be resolved.

fudgez

Eircom ridiculously insecure. Seriously never go with eircom if you can avoid it. Just ask anyone who's into computers how easy it is to hack an Eircom wireless network.

jay93

eircom dont give a toss about security tbh!

totoal

Have they shut it down?
Tried to login with app and can't, but can see figures online.

Krunchie

thelastangryman wrote: »

Update your usage meter to the latest version and the issue will be resolved.

That's not really the point. My personal data and the personal data of others is at risk

Krunchie

totoal wrote: »

Have they shut it down?
Tried to login with app and can't, but can see figures online.

Mine still works. Their attitude on the phone indicated a complete lack of interest despite my best efforts

Queen Maeve

Hi Krunchie,
I saw your post re eircom, and am now worried - I was just speaking to them about enrolling for their broadband package. I am moving house and have been with Permanet as Eircom BB wasn't available when i moved here. I wanted to have phone, BB all in one package now, best value. Do you still think their service insecure?
Any other ideas anyone on what to do?
I'm new to this site and would appreciate any guidance.:rolleyes:

everdead.ie

thelastangryman wrote: »

Update your usage meter to the latest version and the issue will be resolved.

If he updates sure he might not get other peoples information but others could still possibly be getting his and other people could be at risk too

jor el

Krunchie wrote: »

Not much but that information could be used in turn to get sensitive info. I phoned the person whose details I had to let them know. I knew their name, account details, download capacity, how much they'd used etc.

That much? It seems far too much information to be available to a usage tracker. All it needs is a phone or account number, and your stats. They really shouldn't have any more information than that displayed, as it's not necessary, and in this case, a serious security breech.

First contact eircom to let them know, then contact the Data Protection Office to let them know.

dlofnep

fudgez wrote: »

Eircom ridiculously insecure. Seriously never go with eircom if you can avoid it. Just ask anyone who's into computers how easy it is to hack an Eircom wireless network.

Eircom, nor any ISP for that matter is obligated to setup encryption for your wireless network. Infact, many ISP's don't enable any form of encryption and leave you to configure your own wireless network.

Granted, Eircom's keys were generated by foolish algorithms - but that's not their responsibility. It is their responsibility to provide you with a connection to the internet, and anything on your LAN is your own responsibility.

If someone didn't take the time out to configure their network and setup WPA rather than out of the box WEP key - that's their own fault, and nobody elses - not eircom's, not the router manufacturer.

Baneblade

Not sure how you could see their name.

For those that dont have it or not seen it i have attached a screenshot, hitting the log in as different user will show the phone/account number it is currently using

Bruno2010

Baneblade wrote: »

Not sure how you could see their name.

For those that dont have it or not seen it i have attached a screenshot, hitting the log in as different user will show the phone/account number it is currently using

No name is displayed on usage meter, no account number is displayed on usage meter ... only tel number. no other personal details. upgrading to the latest version (re-installing from www.eircom.net/usagemeter ) will provide the latest version and solve any issues where incorrect tel number is displayed

Krunchie

Bruno2010 wrote: »

No name is displayed on usage meter, no account number is displayed on usage meter ... only tel number. no other personal details. upgrading to the latest version (re-installing from www.eircom.net/usagemeter ) will provide the latest version and solve any issues where incorrect tel number is displayed

At risk of repeating myself, this is not just a technical problem. The details revealed allowed me to very easily determine name, location etc. I phoned the person whose details I had. A malicious type could have said the following
"Hello Mr X, I'm calling from eircom. I have a copy of your broadband stats in front of me. I wonder if you could....."

Regardless this information should be held securely and if this info is not held securely then other sensitive info may be at risk.

Updating software does not make the issue of data protection go away.

Krunchie

Queen Maeve wrote: »

Hi Krunchie,
I saw your post re eircom, and am now worried - I was just speaking to them about enrolling for their broadband package. I am moving house and have been with Permanet as Eircom BB wasn't available when i moved here. I wanted to have phone, BB all in one package now, best value. Do you still think their service insecure?
Any other ideas anyone on what to do?
I'm new to this site and would appreciate any guidance.:rolleyes:

Well I think this issue is a concern and maybe make your sales rep read this thread before you sign up. But if I were about to sign up to eircom I would think twice before doing so after finding out about this. .You should at least ensure you use the maximum password protection on your router and ensure you do not use the default password.

Other contributors should be able to give you further advice

dlofnep

Krunchie wrote: »

At risk of repeating myself, this is not just a technical problem. The details revealed allowed me to very easily determine name, location etc. I phoned the person whose details I had. A malicious type could have said the following
"Hello Mr X, I'm calling from eircom. I have a copy of your broadband stats in front of me. I wonder if you could....."

Regardless this information should be held securely and if this info is not held securely then other sensitive info may be at risk.

Updating software does not make the issue of data protection go away.

What details did you have as a matter of interest? Anyone can social engineer anyone with no more than a phonebook - so what exact information have you been made privy to?

java

Baneblade wrote: »

Not sure how you could see their name.

For those that dont have it or not seen it i have attached a screenshot, hitting the log in as different user will show the phone/account number it is currently using

All I'm seeing is a telephone number here and no other personal details. My understanding from the initial post was someone elses personal details were visible. Am I missing something obvious here?

kosie

Just had a look at my stats on the usage thingie and all I can see is my telephone number and the usage stats.

If I was a malicious person as you said, I can just as well pick a phone number from the directory and make up some usage stats when phoning that number.

You are making a huge issue out of nothing, IMHO.:)

kosie

java wrote: »

All I'm seeing is a telephone number here and no other personal details. My understanding from the initial post was someone elses personal details were visible. Am I missing something obvious here?

The original poster were fibbing, I suspect. :rolleyes:

MarkR

Minor inconvenience, rather then major security breach I think.

Krunchie

I'm not going to keep repeating the same info over and over. I never said "serious" security breach. I used the word "serious" only in relation to rules around data protection. Read the title of this thread. Also like I suggested, within a few mins I had personal info about the eircom customer. When I phoned that person and revealed the information I had they were very unhappy with that. Also I had enough info to act maliciously if I were so inclined.

But if you guys don't see this as an issue, think I'm "fibbing" or whatever that's up to you. I can't persuade you otherwise and I won't waste yours or my time trying.

dlofnep

What information exactly did you have. You're either making a big deal of nothing, or there is genuinely crucial information available that Eircom uses should be aware of.

So what exactly did you have - Name, phone number, address, account number? If it's just a phone number and a name, then anyone with intentions of social engineering could do that through a phone book. Either alert people properly, or stop fear-mongering.

Sponge Bob

Krunchie wrote: »

I'm not going to keep repeating the same info over and over. I never said "serious" security breach. I used the word "serious" only in relation to rules around data protection.

It sounds like a very serious data protection breach TBH. I take it the breach is only for those who register with eircom for online billing and usage and who are not on NGN yet.

If you are not registered with eircom for online billing and usage stats there is no breach I take it...

thefinalstage

Sponge Bob wrote: »

It sounds like a very serious data protection breach TBH. I take it the breach is only for those who register with eircom for online billing and usage and who are not on NGN yet.

If you are not registered with eircom for online billing and usage stats there is no breach I take it...

The usage meter only works with people using NGB.

Sponge Bob

If the NGN usage app is the problem them PM me for some emails of senior eircom people and give them a week to fix it ....quietly..

If they don't then go public which is what i did over the WEP issue 3 or 4 years back ..and they started to ship their routers with WPA thereafter.

testicle

Much ado about nothing.

If you want random phone numbers try www.eircomphonebook.ie

Bruno2010

Sponge Bob wrote: »

If the NGN usage app is the problem them PM me for some emails of senior eircom people and give them a week to fix it ....quietly..

If they don't then go public which is what i did over the WEP issue 3 or 4 years back ..and they started to ship their routers with WPA thereafter.

Hi,

Already fixed. New version available on www.eircom.net/usagemeter

weisses

Krunchie wrote: »

I'm not going to keep repeating the same info over and over. I never said "serious" security breach. I used the word "serious" only in relation to rules around data protection. Read the title of this thread. Also like I suggested, within a few mins I had personal info about the eircom customer. When I phoned that person and revealed the information I had they were very unhappy with that. Also I had enough info to act maliciously if I were so inclined.

But if you guys don't see this as an issue, think I'm "fibbing" or whatever that's up to you. I can't persuade you otherwise and I won't waste yours or my time trying.

Appreciate the effort but the Irish attitude in general is to pretend nothing is wrong and just look the other way