We've asked the Information Commissioner's Office to confirm it is aware of the issue. ®
Why???
Plusnet has admitted that some customer accounts showed other people's names and addresses during a planned upgrade to its billing systems. This was one of a few technical hitches the broadband pusher faced over the weekend, as both current and former customers reported being sent incorrect payment notifications, while a …
I am more concerned that account data is stored in a manner by which an off-by-one on the customer index just gives you all the access to that other data no matter who you are (i.e. poor permission control) and that there's no attempt to test that customer indexes match across tables (i.e. that you put in a "where this.index = that.index" kind of clause that would just return empty results if you mess up one of the indices.
I'm more concerned however that modern companies are still just keeping huge tables of customer data that even they don't need access to in that manner, where a slip of a coder's finger results in actual real results of other customers.
We're still just designing these systems incorrectly, shoving everything as rows into the same tables with no thought of restricting data.
Hint: If your customer index table contained nothing more than an index and a decryption key, and your customer address table contained only an unencrypted index and everything else encrypted, then index-mismatches like this would stop you hitting this class of bug. Not everything, but the simple things at least.
Or permission controls. Or some kind of audits and checks rather than just trusting the result out of the database. Some kind of script checking why suddenly 10,000 accounts are returning different data to ten seconds ago, after you just updated, etc. etc.
But, no, lob it all "in the database" and just blindly spaff results around with no checking.
We're still just designing these systems incorrectly, shoving everything as rows into the same tables with no thought of restricting data.
I doubt they're still designing any of this - odds on that this is the migration of Plusnet's customer data onto either BT Retail or EE's big fat arse SAP system with the minimum of changes. The core system could be decades old, and maybe that's why the security's crap. But now everybody can try SQL injection attacks against all BT group retail websites, knowing that offset errors aren't properly vetted?
PlusNet store your password in plain text
.. or at least encrypted in a reversible fashion.
Whilst this is not best practise for storing credentials, the PPPoE layer uses CHAP authentication. I've not kept up with PPP authentication methods but a few years ago at least, the options were send in clear, some sort of CHAP variant (where the server needs to know your credential in clear) or something proprietary that will restrict the type of router you can use. At this layer, they are making the best of a bad set of options.
and will email it out to you
This is where it all falls down though. They use the same credential store for access to manage your account and has accessible mechanisms to discover it. To my mind, they should be making every effort to make the credential store a 'write only' system.
> I am more concerned that account data is stored in a manner by which an off-by-one on the customer index just gives you all the access to that other data no matter who you are (i.e. poor permission control) and that there's no attempt to test that customer indexes match across tables (i.e. that you put in a "where this.index = that.index" kind of clause that would just return empty results if you mess up one of the indices.
I'm not disputing that building in mitigation against "off-by-one" issues is a good thing, but is there any evidence that this is actually what has happened here? I can't see anything from the article to suggest that this is what's caused billing data to be incorrectly displayed.
So about that "routine maintenance".
Oh and:
it had identified a "handful" of accounts that showed "incorrect information", which included the wrong name and address
is never a good sign is it? So can we assume that *everyone* was affected then? I mean, one of the quoted tweets was from an ex-customer of theirs so... technically it's possible they've screwed things up for even more people than their entire customer base. I'm not saying they have, but the "Straight from the PR departments arse" comments are so utterly unconvincing as to make me question why they even bother.
Something fishy in this tale.
At the time Big BT bought Plusnet, part of their justification for doing so was that Plusnet ran the business on a CRM package called WorkPlace. See e.g.
https://www.zdnet.com/article/bt-buys-plusnet-for-crm-system/
Other folks at the time (2006) wondered whether the purchase of Plusnet was less about WorkPlace, more about allowing Big BT to drive coach and horses through Ofcon's rules about BT not abusing their market dominance (e.g. by BT Retail not being allowed to significantly undercut the competition).
Tried to get my bill today, and that was the case - all I got was dropdown to select the bill, but no bill!
Called support - "waiting time is currently 20 minutes". Was about to hang up, but the call was taken immediately.
After a bit of discussion the help desk informed me that there were issues with the migration of some 10,000 accounts. He then suggested clearing cookies or trying a different browser. Cookies weren't an option (new machine, not yet visited site), but switching from Firefox to Safari (MacOS) did allow me to get the bill.
No obvious way to print it, but right-click / print frame did the job.
Looks like it needs some functional and useability testing before it's made live. Oh, wait...
I just tried to access the "Bills and Payments" page and all I get is:
You'll hopefully be aware that we've just launched our new billing system.
As part of this we're just applying some updates to these pages, please bear with us, we'll be back soon!
hmmm....
Received this on 2nd September. Not had any trouble with billing yet, so I guess they are holding until they've sorted things out..
"We need to let you know that your September bill will be delayed by a few days.
We just wanted to drop you an email to reassure you that you won't be charged any more or less money, and your service won't be affected in any way. You'll get your usual email notifications when your bill's ready, and payment will be taken via your current method.
We hope this doesn't cause any problems, but please get in touch if you need to. Call us on 0800 432 0200.
Best wishes,
The Plusnet Team"
As part of these billing changes, Plusnet will no longer be providing VAT invoices on residential accounts. Apparently, they will be providing "simplified invoices", which cannot be used to reclaim VAT, presumably to force those using residential accounts in the course of their business to switch to business accounts. However, as the prices for business services represent a hike of more than 20% over the equivalent residential prices, I am not sure this will have the effect they are looking for.
This post has been deleted by its author
https://www.netcracker.com/insights/press-releases/plusnet-selects-netcracker-for-next-generation-billing-transformation/
contains the following
“Netcracker was the clear choice as our strategic billing transformation partner given the outstanding rating capabilities of its next-generation Revenue Management solution and deep-rooted commitment to its customers,” said David Leather, Director Transformation and Billing at Plusnet. “Netcracker’s delivery record and cutting-edge solution will allow us to improve business agility and leverage enhanced customer billing functionality to provide the best possible customer experience which is a critical part of our strategy.”
As part of the transformation, Netcracker will deliver its Revenue Management solution and migrate customers from an existing system to the new platform. Netcracker will also provide Plusnet with a number of professional services, including configuration, integration, migration and testing services to optimize Plusnet’s billing operations.
[continues]
See also https://uk.linkedin.com/in/david-leather-37210221 where he shows as "Director, Service Transformation, BT/EE" (account required for the full details, but Linked in Finland reveals this gem:
"Totally driven by doing the right thing for our customers and our people, I am responsible for transforming BT and EE’s service experiences") [source: https://fi.linkedin.com/in/david-leather-37210221]
Well clearly.
He's a Twitterer too.
So much for "social" netwroking.
I can confirm that this breach is still ongoing nearly one month later.
"We'd like to reassure all our customers that we immediately prevented access to the My Account section of the website and we quickly fixed the problem," she added.
This is a lie. The problem is not fixed. The data breach in ongoing. Payment details are visible. Multiple people I've spoken to on telephone support either didn't know about a data breach or they have been told not to talk about it to customers who report data breaches.
Given they have had weeks to fix this and have not I can only assume it's a massive mess and not a simple fix.