Plus Net Compromised.

[steve.milner]

Just got one Moira.

Are you paying them anything??

Steve

[Moira]

Like hell am I paying them! What would I want to pay PlusNet for ?? They aren't my ISP.

[steve.milner]

It's all a bit wierd really.

Steve

[Moira]

Very. It makes me glad I'm not a PlusNet customer if this is an example of their efficiency. They certainly don't provide me with any service, nor do I pay them so it's rather strange to be the recipient of all these emails. When I was considering switching to them it was several years ago too.

[nihil]

OK I have been giving this one a bit more thought and have the following suggestion. It is pure speculation on my part but seems to fit what we know so far?

1. PlusNet obviously have a contacts database of everyone who has ever contacted them for any reason. We all know how anally retentive marketing types can be when they get a "live" e-mail addy? This would explain why Moira is getting the warnings even though she never did business with them.

2. I would suspect that the contacts database is not considered important and has been compromised in its entirety. I would expect that the customer accounts database is secure or at least relatively so. If it had been compromised, Steve would get the e-mail but Moira wouldn't.

Basically PlusNet have been holding personal details of people who are not their customers. I know that this is done whilst you are negotiating with a potential customer, but I would have thought that it was common practice to delete these records after 6 months or so.

This raises a couple of questions in my mind:

1. What are PlusNet going to do for people like Moira, who has been compromised by their incompetence but is not a user of their services?

2. What other personal information was on that database and has also been compromised?

EDIT: The plot thickens:

http://www.theregister.co.uk/2007/05..._webmail_shut/

[Moira]

2. I would suspect that the contacts database is not considered important and has been compromised in its entirety. I would expect that the customer accounts database is secure or at least relatively so. If it had been compromised, Steve would get the e-mail but Moira wouldn't.

Or else we'd both get an email if both databases had been compromised.

Basically PlusNet have been holding personal details of people who are not their customers. I know that this is done whilst you are negotiating with a potential customer, but I would have thought that it was common practice to delete these records after 6 months or so.

Quite. It was so long ago that I contacted PlusNet that I'm concerned they still hold my details. It makes you realise just what information is held about you by various organisations and the idea that this is deleted when it no longer serves a purpose, clearly isn't being done at all.

1. What are PlusNet going to do for people like Moira, who has been compromised by their incompetence but is not a user of their services?

Well, they say I've been compromised, but I'm hard pushed to see any damage tbh. I'd like to think I could demand financial compensation but I don't think I've probably got much of a case!

Anyway, I'll wait and see what transpires. They may be forced into compensating people with enough pressure.

[nihil]

I don't think that the customer account database has been compromised, as they would have to warn people about that, given that it would contain credit card and banking details.

You will probably OK as I would expect spammers to check the record dates and delete old ones. Obsolete spam lists are of no value?

[Moira]

Well since to my knowledge I don't even have a PlusNet email account, it follows that it can't be receiving spam. Either way, I haven't been receiving spam to anything but my normal accounts (Yahoo and Gmail attract spam like a magnet!)

[nihil]

Hi Moira,

They are sending you e-mails, so that is the account that is on their database and has been compromised.

I presume that it is their marketing mailing database that has been compromised. I guess that will contain all existing customers, past customers and contacts such as yourself.

[Moira]

Yes ..... I'm just surprised they think I ever had a PlusNet email address, that's all, since I never actually got round to signing up with them.