back to article KC engineer 'exposed unencrypted spreadsheet with phone numbers, user IDs, PASSWORDS'

Hull's dominant telco, KC, is investigating revelations of what appears to be poor handling of the company's customer data. This comes after a recent sign-up claimed one of its engineers had unwittingly exposed a customer spreadsheet containing the telephone numbers, user IDs and unencrypted passwords of all its subscribers. …

COMMENTS

This topic is closed for new posts.

Page:

  1. Hans 1
    Joke

    LOL

    The security of our customers’ information is of primary importance to us and we are aware of and take very seriously our obligations under the Data Protection Act. We investigate any alleged data security incidents promptly and thoroughly, and we act quickly to make any improvements such investigations identify.

    1. Oh Homer
      FAIL

      Re: LOL

      Even funnier is this nice bit of sophistry: "I can assure you that all of our laptops are encrypted, password-protected and fitted with tracking technology and the facility to remotely wipe data."

      That's great, but irrelevant, because in this case unauthorised third party access is not the problem, it's the authorised operator's access to sensitive data he ought not be authorised to access.

      Or in simple terms: "He works for us" is not good enough I'm afraid. I'm sure banks employ engineers too, but that doesn't mean those engineers get the keys to the vault, even if they're the ones who installed it.

      If these numpties are representative of the sort of people responsible for securing sensitive data, I can understand why the ICO has such a difficult job.

  2. Heisenberg

    Where's the story?

    If the laptop in question does indeed have hard drive encryption installed then I really don't see what the issue is? Maybe if the engineer had explained that to the customer at the time he wouldn't have kicked off?

    1. Anonymous Coward
      Anonymous Coward

      Re: Where's the story?

      The point is a file is easy to lift, transfer to a memory stick, get attached to an email etc. The file itself isn't encrypted. If it is sent/lifted, it is easily accessible. You don't have this kind of information unencrypted. You just don't.

    2. Evan Essence

      Re: Where's the story?

      Did you see the bit about the same password being used to access email? Would you want some random engineer knowing your email password?

      1. Anonymous Coward
        Anonymous Coward

        Re: Where's the story?

        "Did you see the bit about the same password being used to access email? Would you want some random engineer knowing your email password?"

        They don't even NEED the password, this is the problem, I mean if you're the sysadmin for the mail server, I'm sure you can read anyones inbox unless the messages are PGP encrypted.

    3. Michael Nidd

      Re: Where's the story?

      Passwords should never be stored in plaintext anywhere. Not on a laptop with disk encryption, not on a server in a locked room behind two firewalls, not anywhere. It's not a question of how the list is protected; it just shouldn't exist.

      1. HereWeGoAgain

        Re: Where's the story?

        How do you think CHAP works?

        1. The Vociferous Time Waster

          Re: Where's the story?

          Two hashed passwords are compared. The password is neither stored or transmitted in plain text. Perhaps it's PAP you are thinking of?

    4. Martin Milan

      WTF?

      ... then allow me to enlighten you...

      The issue is that this engineer now has credentials for accessing thousands of customer's email accounts. If the customer has been lazy (and most will be), he probably also has access to theiR facebook / twitter accounts as well...

      There is no excuse for holding passwords in clear text - even back at base - nevermind on a remote worker's laptop.

      1. Anonymous Coward
        Anonymous Coward

        Re: WTF?

        "The issue is that this engineer now has credentials for accessing thousands of customer's email accounts."

        And other engineers can just read your plaintext email on the server without any passwords or some email admins can 'impersonate' a user/email address and read your email in the web mail interface. Whine about that one.

        1. Martin Milan

          Re: WTF?

          LOL. I'm scared to think you might, just might, be from the IT industry.

    5. Anonymous Coward
      Anonymous Coward

      Re: Where's the story?

      "If the laptop in question does indeed have hard drive encryption installed then I really don't see what the issue is?"

      The engineer had no need to have the file at his disposal. He should only have had access to the record of the specific customer in question, not the entire customer base. If he's scrolling through data on a spreadsheet there's no way to record and audit what records he has looked at and to confirm that the access was done for a genuine purpose.

      It the report is true, it's a clear breach of the DPA. If you can't see the problem, I really hope you're not responsible for any data I might appear in.

      1. Badvok

        Re: Where's the story?

        I think a number of commentards here have missed the bit about this being the network logon credentials which are normally assigned by the ISP rather than them being the user's own password (even if they are also the default passwords used for the email service).

        One does wonder how some of these commentards expect the ISP to tell you the credentials you need to log onto their network if they are never allowed to use clear text.

      2. John Brown (no body) Silver badge
        Facepalm

        Re: Where's the story?

        "The engineer had no need to have the file at his disposal."

        ...unless the witnessed spreadsheet was just that days installs with the first time generated passwords and not the entire customer base as some here seem to think.

      3. Anonymous Coward
        Anonymous Coward

        Re: Where's the story?

        > It the report is true, it's a clear breach of the DPA.

        Anon, could you please provide details as to how this is a "clear breach of the DPA"? Specific sections being violated along with commentary would be particularly appreciated. Thanks very much.

        > If you can't see the problem, I really hope you're not responsible for any data I might appear in.

        It would be much helpful if you could give us some insight, so you're not left at the mercy of your hopes.

        I must admit that while I can see an obvious problem from an information security perspective, it is the contravention of the Data Protection Act 1998 that eludes me. Having raised the point with such certainty, I have no doubt that you will be kind enough to expound the intricacies of it to us, for which I would be indebted.

        1. Anonymous Coward
          Anonymous Coward

          Breach of DPA

          Ok, so can someone please provide an explanation of how this practice might be in breach of the Data Protection Act?

          I am not asking whether it is a good idea, professional, etc., to carry around a list of usernames and passwords related to customers. I am asking whether someone else familiar with the DPA would like to provide their input, seeing as the journo who wrote the piece did not see fit to enlighten us on this particular aspect.

          Many thanks.

          1. Trainee grumpy old ****
            Boffin

            Re: Breach of DPA

            >> Ok, so can someone please provide an explanation of how this practice might be in breach of the Data Protection Act?

            The principles of the act are listed here: http://ico.org.uk/for_organisations/data_protection/the_guide/the_principles

            At the very least, principle 3 would appear to be being breached.

    6. Munin

      Re: Where's the story?

      Industry standards state that passwords shall not be stored except as a hashed output.

      Passwords are not 'encrypted' in the usual, reversible fashion per these standards; this is why all reputable outfits will not be able to tell you what your password was when you forget it.

      When you log in, the login process hashes your password through the same one-way function and compares the sausage-meat result to the stored sausage-meat result; if they match, then you've put in the correct password.

      "Cor, but wot if summat else makes t' same hash?" I hear you object--that's called a hash collision, and that's why they come out with new hash functions from time to time.

      The long and short of it is that even if you trust these people's laptop setup--which, given their very basic misunderstanding of how passwords are to be stored is far from guaranteed--they STILL should not have passwords available for customer accounts, ever.

      The correct way that reputable outfits use is to use the engineer's credentials to get to a restricted page on which the customer then inputs a password for their specific account, and then tell the customer to change it themselves once the engineer leaves.

      And that, lad, is why everyone jumped on the 'downvote' button.

      1. Badvok

        Re: Where's the story?

        "Industry standards state that passwords shall not be stored except as a hashed output."

        Hmmm, if all ISP were to follow this 'Industry Standard' then I wonder how they could tell you the password so you can connect your router to their network. After all it is normal practise for these passwords to be fixed by the ISP and not user changeable.

        Nudge, nudge, wink, wink, want to know the password for the giffgaff APN? I've successfully managed to reverse the hash they've used and the password is: "password".

        1. ShortLegs
          FAIL

          Re: Where's the story?

          @Badvok

          "Nudge, nudge, wink, wink, want to know the password for the giffgaff APN? I've successfully managed to reverse the hash they've used and the password is: "password"."

          How - by the simple expedient of looking it up on the support forum, where it is for all to see?

          1. Badvok

            Re: Where's the story?

            @ShortLegs: Google 'sarcasm'. It is apparently industry standard for all passwords to be stored as a hash, therefore that password you see on the giffgaff site MUST, by definition, be a hash of the actual password.

        2. Munin

          Re: Where's the story?

          " I wonder how they could tell you the password so you can connect your router to their network."

          By reading the second to last paragraph in my post, guv.

  3. Semtex451
    Coat

    Surely only the NSA & GCHQ should have access to plain text login details?

    1. xerocred

      I don't see how even the mighty NSA and GCHQ could have access to plaintext passwords if passwords are only ever stored as hashes. Of course they might have rainbow tables and can figure it out.

      1. Anonymous Coward
        Anonymous Coward

        "Of course they might have rainbow tables and can figure it out."

        The (good) thing is, rainbow tables are often of little or no use against a half-decent hashing routine. Decent sized crypto-random salts and stretching (and therefore also multiple iterations), as a basic minimum, helps quite a bit in this respect.

        The bad thing is, a lot of code I have seen over years fails to implement even basic precautions such as salts and stretching which probably means rainbow tables will be of some use for a while yet.

  4. RobHib
    Coat

    The Internet. Yes, it was too good to last.

    It's little wonder I've stopped all but the most difficult on-line transactions and gone back to cheques.

    With the NSA, CGHQ etc spying, unscrupulous suppliers divulging my email address and other personal data and their irresponsible employees losing customer data including passwords (or losing disks or the briefcases containing them on public transport), operating system manufactures—Microsoft—making O/S code that requires neverending security patches (i.e. inherently as holey as a Swiss cheese) not to mention going to bed with the NSA etc., virus writers and exploit experts threatening to devastate my data, and governments that don't give a damn about privacy etc., etc., I'm beginning to think the internet is pretty useless except for perhaps a bit of wild-west entertainment or comic relief.

    Yes, it was too good to last.

    1. Anonymous Coward
      Anonymous Coward

      Re: The Internet. Yes, it was too good to last.

      not to mention going to bed with the NSA etc

      Hang on a minute... you're going to bed with the NSA... what all of them? All at once, or one at a time? You're going to have to 'mention' more about this now, we all want to know.

      1. Obitim

        Re: The Internet. Yes, it was too good to last.

        not to mention going to bed with the NSA etc., virus writers and exploit experts threatening to devastate my data - that's what she said...

      2. RobHib
        Headmaster

        @obnoxiousGit -- Re: The Internet. Yes, it was too good to last.

        you're going to bed with the NSA...

        Frankly, I can't think of much worse.

        Now, I know I'm renowned for long sentences; so I'm letting you off with a reasonable excuse. According to MS word, this sentence has 107 words (its grammar checker peters out after 68).

        Shakespeare it certainly ain't, but that sentence is entirely consistent in its punctuation. There's a comma before operating system and the next matching comma is after NSA etc. Between them there's a pair of opening and closing [em] dashes followed by a pair of opening and closing brackets, both of which have consistent parsing. Thus, after parsing, MS is the subject of the phrases within the two commas.

        I know that if I converted the sentence into a True/False truth table (something I was forced to learn years ago in formal logic) then I could formally prove this. However, I do not intend to so do. As truth tables are fine in say Boolean electronic logic circuits but a real PIA when applied to grammar for detailed reasons too complex explain here. (And for me, doing grammar truth tables is effectively penance and thus to be avoided.)

        A consequence of doing formal logic is that I usually get the punctuation correct. 'Tis unfortunate however that study made little or no improvement to my writing style.

        Thank you for winding me up, that's one of the great joys of El Reg.

        P.S.: In future, I'll endeavour (but not promise) to keep my sentences fewer than the MS-imposed limit.

        ;-)

    2. Goldmember

      Re: The Internet. Yes, it was too good to last.

      "It's little wonder I've stopped all but the most difficult on-line transactions and gone back to cheques."

      Bad move. Cheques are being phased out over the next 4 years:

      http://news.bbc.co.uk/1/hi/business/8414341.stm

      1. ShortLegs
        FAIL

        Re: The Internet. Yes, it was too good to last.

        No, they are not.

        http://www.paymentscouncil.org.uk/media_centre/press_releases/-/page/1575/

        and

        http://www.paymentscouncil.org.uk/current_projects/the_future_of_cheques/-/page/2514/

      2. RobHib
        Pirate

        @Goldmember -- Re: The Internet. Yes, it was too good to last.

        Bad move. Cheques are being phased out over the next 4 years...

        Did not know that.

        Ahh, but not here in the great godforsaken southern land—not yet anyway! (It usually takes us about 5 or 10 years to catch up to the UK but inevitably we do (we're so predictable at it that if you guys copyrighted your business and government practices/rules, I'd reckon the UK could live off the royalties we'd have to pay you).) ;-)

        It's not news that the banks don't like cheques; they have to get off their arses and physically exchange bits of paper, which is a pain compared to line items on a computer screen. Despite the fact that they've had to do it for hundreds of years, those opportunistic, customer-service-shy pariahs won't miss a tick. (Note: bills of exchange go back to at least Roman times.)

        In that article Auntie Beeb makes the point that cheques will be phased out by October 2018, but only if adequate alternatives are developed, it doesn't say what they are. So what happens when someone (a) doesn't have a mobile or POTS telephone, (b) has no internet connection and or (c) no credit card? Not having one of these three is usually a reasonable indicator that the person may not have the others. Whilst the numbers are small, in a country the size of the UK, this still amounts to many hundreds of thousands of people.

        Also in the article there's a mention that the cheque's predecessor was the bill of exchange. In the paperwork sense, there's bugger-all difference between a bill of exchange and a cheque. For all sorts of reasons I cannot see how the banks can kill off everything from bills of exchange to money orders etc., etc., especially if they originate from outside the UK. That would essentially presuppose that cash was gone and that every place/country had a totally cashless banking system.

        Funny isn't it, that the banks are prepared to phase out cheques before there's a secure system to replace it—i.e.: before there's a secure internet (a la this article/my post etc.)

        Jolly Roger icon ==> Banks' logo!

        1. Test Man

          Re: @Goldmember -- The Internet. Yes, it was too good to last.

          RobHib - "Did not know that." As someone else has already posted, it's NOT being phased out. There's a subsequent BBC article that states that the powers-at-be changed their mind.

          http://www.bbc.co.uk/news/business-14122129

        2. Anonymous Coward
          Anonymous Coward

          Re: @Goldmember -- The Internet. Yes, it was too good to last.

          "Funny isn't it, that the banks are prepared to phase out cheques before there's a secure system to replace it—i.e.: before there's a secure internet (a la this article/my post etc.)"

          We wouldn't want a truly secure internet, especially if it involves using passport details or driver's license details to post on a forum, it's bad enough that some places expect you to use Facebook for authentication.

      3. ckm5

        Re: The Internet. Yes, it was too good to last.

        It's even worse than that - most checks have full account details printed at the bottom, making it fairly trivial to spoof the whole thing... The only saving grace is that it's not digital, but even then, most banks provide digital images of your checks...

        1. Roland6 Silver badge

          Re: The Internet. Yes, it was too good to last.

          Re: The only saving grace is that it's not digital, but even then, most banks provide digital images of your checks...

          I've yet to receive any digital images of cheques I've issued. Years back AMEX used to send out copies of all payment slips they had received, however, since they went digital with only account access, copies of transaction documents are no longer provided as standard.

          The trouble is that UK banks are starting to accept and process digital images of cheques thereby avoiding the handling of physical paper and customers having to make special trips to a branch just to pay cheques in (I'm a little surprised how few banks promote postal submission of payments)...

      4. rh587

        Re: The Internet. Yes, it was too good to last.

        "Bad move. Cheques are being phased out over the next 4 years:"

        And are being replaced by a cheque-like system which works in much the same way for the user but is much more efficient for the banks to process, because although the number of cheques are falling, the remaining ones are really difficult to find alternatives to - for instance paying annual subs to local sports clubs which typically don't have a phone line or means of making card or electronic payments (unless they've got a web-savvy member and the Treasurer is willing to sift though statements checking who has and hasn't paid), and where the Treasurer would far rather have a small stack of cheques to pay in than having to store £5k on behalf of the club until they can get to the bank...

        Similarly for clubs, there is no solution yet to replace double-signature cheques (other than a cheque-like replacement). I've yet to see a double-PIN debit card that requires authority from multiple signatories to withdraw cash.

  5. Halfmad

    Don't wait on the company going to the ICO - this is the mistake many people make, they won't.

    Report the company yourself, it takes all of 5 minutes.

  6. Dr Trevor Marshall

    Verizon USA knows your passwords

    Verizon USA FIOS routers have a backdoor for tech support, which is well-documented. But recently, when I logged into my Verizon web account to check my billing balance, I saw that my WIFI WPA2 password was recorded there in plain text, I switched ISP. It is just unbelievable how any ISP could surreptitiously harvest my WiFi password into their database. To say nothing of the threat to my WiFi network, knowing my WPA2 password would make social engineering of my internal network passwords much, much, easier.

    And yes, I know Google does it with Android devices. I have given those devices their own DMZ.

    1. This post has been deleted by its author

      1. ckm5

        Re: Verizon USA knows your passwords

        Not my ISP, they let you BOYD...

    2. Terry Barnes

      Re: Verizon USA knows your passwords

      I'm not seeing the risk.

      Presumably your web account is userid and password protected? Presumably you don't have said userid and password printed on a poster mounted outside your front door?

      I'm not sure what you mean by 'social engineering' your internal network passwords - social engineering requires an individual to be tricked into revealing something they shouldn't have done. Why does knowing your WiFi passcode make that easier? And why not just set the router to not allow new, unknown devices to connect?

      1. chris 17 Silver badge

        Re: Verizon USA knows your passwords

        he probably uses a long password in a particular format that would make it easy to guess (social engineer) his other passwords. ever heard of the process of combining several memorable words to make a long password? 12 letters is better than 6

        https://www.facebook.com/pages/Spotted-Farnborough-and-Aldershot/594550087237217?hc_location=timeline

        1. Joe Montana

          Re: Verizon USA knows your passwords

          Several memorable words strung together is relatively easy for a password cracking tool with a dictionary, have a look at the -rules option of john the ripper for instance.

    3. Anonymous Coward
      Anonymous Coward

      Re: Verizon USA knows your passwords

      "And yes, I know Google does it with Android devices."

      Sorry, can you explain that further..?? *Concerned*

      1. Gene Cash Silver badge

        Re: Verizon USA knows your passwords

        If you have "back up my data" checked, it sends your wi-fi passwords to Google.

        On my Jellybean device (Moto G) it explicitly says "Back up app data, Wi-Fi passwords, and other settings to Google servers"

  7. Anonymous Coward
    Anonymous Coward

    How do other ISPs do it these days when they send engineers out to do the install?

    1. Anonymous Coward
      Anonymous Coward

      they put a sticker on the router itself, which is much more secure.

      oh, and a little pedantry, Karoo is KC's ISP, not KCOM Group's.

    2. rhydian

      I'm not sure about enterprise grade stuff, but on ADSL/FTTC links the Openreach bod doesn't actually deal with the router. With ADSL he simply checks the line's good and you use the info the ISP sent you (either by letter or Email). With FTTC their duty finishes once they've installed your VDSL modem, and those connections authenticate on the line so there aren't any login details

Page:

This topic is closed for new posts.

Other stories you might like