Plus Net Compromised.

[steve.milner]

Hi Moira,

They are sending you e-mails, so that is the account that is on their database and has been compromised.

I presume that it is their marketing mailing database that has been compromised. I guess that will contain all existing customers, past customers and contacts such as yourself.

And of course the natural place for a marketing database to sit is on your webmail servers !!

And yet all my card details and bank accounts are safe !!!

Steve

[nihil]

Steve, my man in ***** Ah! the joys of censorship, that is L-a-g-o-s assures me that they are

The point is that this heap of crap is owned by BT, our major telco and ISP player, who must have internal audit and security functions...................so what kind of order is their house in?

.

[Moira]

More comment on this from thinkbroadband.com

[steve.milner]

I have received an answer:

The following comment was added to the Question
Dear Mr xxxx,
Thank you for your enquiry. As neither ADSL or the email services we provide carry a service level agreement we cannot offer compensation for the issues you have experienced. Our wholesale provider doesn't even offer us a SLA on any products supplied, even for business customers. This means we cannot supply one in turn as it would be impossible to fulfill. The same can be said for email. Due to the nature of the service, nothing can be guaranteed. I know not of a provider in the UK who will guarantee an email service and offer financial compensation should emails be lost or otherwise. Once again, please allow me to express our most sincere apologies.


As you can imagine, this is not the response I was hoping for. I have, for the moment decided to follow the plus.net procedure for complaint resolution and I have writted to the customer service director, registered post, with a certificate of posting:


Dear Sir/Madam

I am writing because I have been unable to resolve the complaint I made to customer services: ID: xxxxxxxx for account xxxxxxxx to my satisfaction.

The basis is for my complaint is that as a result of your failure to secure my personal details, I am now receiving unsolicted (spam) email to my domain (xxxxxx.net) that was free of unsolicted email (spam) before this failure. As a result I have incurred cost and experienced loss to ensuring that I receive no spam, hence it is reasonable for these costs and losses to be recompensed.

Concerning the matters of service level agreements raised in the last reply to this ticket:

<snip above reply>

I consider that these matters are not relevant as I am not basing my complaint on a failure of service but of your failure to to take reasonable care to protect my personal details, and hence my claim is based on the premise that you have been negligent in securing my personal details.

I would therefore ask that you re-examine this issue and make me a reasonable financial offer to cover my costs and compensate me for my loss following your failure to adequately secure my personal details.

To break down my costs and losses further:

<snip details of costs>

I expect a reply within 10 working days of the posting date of this letter, no later than 10th June 2007

I enclose a copy of the ticket transcript.

Regards,

[nihil]

Hmmm.............. hey Steve, do you want to borrow a box of coloured pencils (I used to use them for debugging program logic back then) because I think that you are going to have to spell it out to them in brightly coloured capital letters?

SLA = Service Level Agreement = "a contractual or quasi-contractual understanding between parties where a service is provided"

Regulatory Compliance = "conforming with the statutory regulations laid down by the Parliament of the United Kingdom. This includes, but is not restricted to the Data Protection Act 1984"

[steve.milner]

It will be interesting.

My Sister and my Parents are both plus.net customers and are awaiting the outcome of my complaint before starting their own.

They have released a 'detailed' report.

http://community.plus.net/comms/2007...cident-report/

I think this is relevant:

c. Why did it happen?

A vulnerability within our implementation of Webmail code in our portal was discovered and used by malicious attackers.

Our subsequent investigations found a number of vulnerabilities with our implementation of the Atmail application, including the vulnerability which had been exploited. This led to the decision we took to stop using the software entirely.

and this:
f. What have we done to resolve the problem and prevent something similar in the future?

Since the issue came to light the entire team at PlusNet has focused on the security of our network and customer data, and email system improvements. In order to resolve the issue and limit the impact on our customers we have:

- Undertaken a complete external security audit and rebuilt aspects of our platform that we felt didn’t meet stringent security best practices

- Created a dedicated PlusNet security team which is formally responsible for all aspects of data and software security on our platform

I consider that the above two points would have been expected to have been in place by a reasonable person.

As you said Ni, we should worry about BT!

Steve

[steve.milner]

Update:

Hmmm.............. hey Steve, do you want to borrow a box of coloured pencils

I think I'm gonna need 'em

The Customer Services Director has refused my claim, again quoting SLAs

I have requested a CISAS deadlock ID.

I await.

Steve

[nihil]

Hmmm, the scumnet crowd seem to like to blame their "wholesaler"............. that does not cut ice............ could be close to fraud? as their "wholesaler" happens to own them? maybe sue BT direct for the actions of their subsidiaries whose actions they are clearly responsible for?

Perhaps it is time your MP asked a question in the House other than directions to the nearest toilet or bar?

BT must have some sort of licence, maybe it is time that it was challenged?

[Net2Infinity]

Well Steve, even though I am sympathetic to your situation I am failing to see how you have a claim against them just because you now receive spam. Sure you can claim you didn't receive spam before the breech, but can you prove that the spam is a direct result of the breech? Heck, perhaps you were in someones address book and it got rooted by a virus. Thus you are now receiving spam and its a mere coincidence. I am not sure of the other laws in the UK pertaining to this matter as I reside in the United States, however you have to prove there wasnt another vector for a spammer to get your address.

[nihil]

Net2Infinity,

but can you prove that the spam is a direct result of the breech?

There isn't any need, as Plus Net have admitted that a breach in their security has resulted in people on their records receiving spam. They have actually e-mailed people warning them of this problem.

perhaps you were in someones address book and it got rooted by a virus.

Along with a lot of other Plus Net customers who have never even heard of Steve, nor he of them? The only address book would have to be Plus Net's

They are not denying what has happened, nor that it was their fault. The issue here is to what extent might they be held financially responsible.

In the case of private individuals I would say that the losses/costs that you could prove would be so small as to not make it worthwhile. In the case of websites and commercial customers, it is a different matter.

As Plus Net have not immediately responded by quoting some "small print" that absolves them of blame, I suspect that there isn't any. Their lawyers (and other reptiles) will have advised them to be in a state of denial, at least until they can figure out the potential scope of the liability