back to article Plusnet customers peeped others' deets during system upgrade

Plusnet has admitted that some customer accounts showed other people's names and addresses during a planned upgrade to its billing systems. This was one of a few technical hitches the broadband pusher faced over the weekend, as both current and former customers reported being sent incorrect payment notifications, while a …

  1. Anonymous Coward
    Anonymous Coward

    We've asked the Information Commissioner's Office to confirm it is aware of the issue. ®

    Why???

    1. Steve Davies 3 Silver badge

      Re: We've asked the Information Commissioner's Office to confirm it is aware of the issue. ®

      Why?

      Simple really. People in the IT world hate BT. PlusNet is part of BT.

      Do you really need any more to put 2 and 2 together and get 4?

    2. Anonymous Coward
      Anonymous Coward

      Re: We've asked the Information Commissioner's Office to confirm it is aware of the issue. ®

      To see if they really and I quote "take the protection of our customers' data extremely seriously"

      I see "extremely seriously" as never making a mistake with your data but each to their own.

      1. Lee D Silver badge

        Re: We've asked the Information Commissioner's Office to confirm it is aware of the issue. ®

        I am more concerned that account data is stored in a manner by which an off-by-one on the customer index just gives you all the access to that other data no matter who you are (i.e. poor permission control) and that there's no attempt to test that customer indexes match across tables (i.e. that you put in a "where this.index = that.index" kind of clause that would just return empty results if you mess up one of the indices.

        I'm more concerned however that modern companies are still just keeping huge tables of customer data that even they don't need access to in that manner, where a slip of a coder's finger results in actual real results of other customers.

        We're still just designing these systems incorrectly, shoving everything as rows into the same tables with no thought of restricting data.

        Hint: If your customer index table contained nothing more than an index and a decryption key, and your customer address table contained only an unencrypted index and everything else encrypted, then index-mismatches like this would stop you hitting this class of bug. Not everything, but the simple things at least.

        Or permission controls. Or some kind of audits and checks rather than just trusting the result out of the database. Some kind of script checking why suddenly 10,000 accounts are returning different data to ten seconds ago, after you just updated, etc. etc.

        But, no, lob it all "in the database" and just blindly spaff results around with no checking.

        1. Anonymous Coward
          Anonymous Coward

          Re: We've asked the Information Commissioner's Office to confirm it is aware of the issue. ®

          We're still just designing these systems incorrectly, shoving everything as rows into the same tables with no thought of restricting data.

          I doubt they're still designing any of this - odds on that this is the migration of Plusnet's customer data onto either BT Retail or EE's big fat arse SAP system with the minimum of changes. The core system could be decades old, and maybe that's why the security's crap. But now everybody can try SQL injection attacks against all BT group retail websites, knowing that offset errors aren't properly vetted?

        2. david bates

          Re: We've asked the Information Commissioner's Office to confirm it is aware of the issue. ®

          Unless it has changed recently PlusNet store your password in plain text and will email it out to you. This is safe because reasons, so I'm not surprised.

          1. djack

            Re: We've asked the Information Commissioner's Office to confirm it is aware of the issue. ®

            PlusNet store your password in plain text

            .. or at least encrypted in a reversible fashion.

            Whilst this is not best practise for storing credentials, the PPPoE layer uses CHAP authentication. I've not kept up with PPP authentication methods but a few years ago at least, the options were send in clear, some sort of CHAP variant (where the server needs to know your credential in clear) or something proprietary that will restrict the type of router you can use. At this layer, they are making the best of a bad set of options.

            and will email it out to you

            This is where it all falls down though. They use the same credential store for access to manage your account and has accessible mechanisms to discover it. To my mind, they should be making every effort to make the credential store a 'write only' system.

        3. juice

          Re: We've asked the Information Commissioner's Office to confirm it is aware of the issue. ®

          > I am more concerned that account data is stored in a manner by which an off-by-one on the customer index just gives you all the access to that other data no matter who you are (i.e. poor permission control) and that there's no attempt to test that customer indexes match across tables (i.e. that you put in a "where this.index = that.index" kind of clause that would just return empty results if you mess up one of the indices.

          I'm not disputing that building in mitigation against "off-by-one" issues is a good thing, but is there any evidence that this is actually what has happened here? I can't see anything from the article to suggest that this is what's caused billing data to be incorrectly displayed.

  2. Peter X

    ...shortly followed by another "routine maintenance" alert

    So about that "routine maintenance".

    Oh and:

    it had identified a "handful" of accounts that showed "incorrect information", which included the wrong name and address

    is never a good sign is it? So can we assume that *everyone* was affected then? I mean, one of the quoted tweets was from an ex-customer of theirs so... technically it's possible they've screwed things up for even more people than their entire customer base. I'm not saying they have, but the "Straight from the PR departments arse" comments are so utterly unconvincing as to make me question why they even bother.

  3. cd

    So they went with SAP?

    1. Steve 53

      Re: New???

      Somehow I see them more likely to move to a BT "Standard", eg a 25 year old mainframe based system, perhaps with a front end GUI added to make sure the pig has a little lipstick

      1. Anonymous Coward
        Anonymous Coward

        Re: Workplaice?

        Something fishy in this tale.

        At the time Big BT bought Plusnet, part of their justification for doing so was that Plusnet ran the business on a CRM package called WorkPlace. See e.g.

        https://www.zdnet.com/article/bt-buys-plusnet-for-crm-system/

        Other folks at the time (2006) wondered whether the purchase of Plusnet was less about WorkPlace, more about allowing Big BT to drive coach and horses through Ofcon's rules about BT not abusing their market dominance (e.g. by BT Retail not being allowed to significantly undercut the competition).

  4. Anonymous Coward
    Anonymous Coward

    Plusnet stressed that "full payment details were not visible"

    Tried to get my bill today, and that was the case - all I got was dropdown to select the bill, but no bill!

    Called support - "waiting time is currently 20 minutes". Was about to hang up, but the call was taken immediately.

    After a bit of discussion the help desk informed me that there were issues with the migration of some 10,000 accounts. He then suggested clearing cookies or trying a different browser. Cookies weren't an option (new machine, not yet visited site), but switching from Firefox to Safari (MacOS) did allow me to get the bill.

    No obvious way to print it, but right-click / print frame did the job.

    Looks like it needs some functional and useability testing before it's made live. Oh, wait...

    1. Anonymous Coward
      Anonymous Coward

      Re: Plusnet stressed that "full payment details were not visible"

      I just tried to access the "Bills and Payments" page and all I get is:

      You'll hopefully be aware that we've just launched our new billing system.

      As part of this we're just applying some updates to these pages, please bear with us, we'll be back soon!

      hmmm....

      1. Anonymous Coward
        Anonymous Coward

        Re: Plusnet stressed that "full payment details were not visible"

        I can now view my previous bills - hooray!

        But when I select "View your payments", it just says "No result found" whichever period I select - duh!

  5. viscount

    As a Plusnet customer: I laugh at the idea that a hacker can make sense of my bills. I can't.

  6. John Brown (no body) Silver badge

    Upgrades during a month rollover?

    "between 8pm on 31 August and 7am on 1 September"

    Always plan updates for when there will be the least amount of change.

  7. Winkypop Silver badge
    Devil

    "handful"

    I'll bet it wasn't a Trump size handful either.

    Now sing the chorus along with me:

    "We take the protection of our customers' data extremely seriously, (repeat)

    1. Velv
      Headmaster

      Re: "handful"

      Since “unlimited” in telecoms land doesn’t actually mean unlimited, I shudder to think what a handful means.

  8. Securitymoose

    Bills are now being delayed

    Received this on 2nd September. Not had any trouble with billing yet, so I guess they are holding until they've sorted things out..

    "We need to let you know that your September bill will be delayed by a few days.

    We just wanted to drop you an email to reassure you that you won't be charged any more or less money, and your service won't be affected in any way. You'll get your usual email notifications when your bill's ready, and payment will be taken via your current method.

    We hope this doesn't cause any problems, but please get in touch if you need to. Call us on 0800 432 0200.

    Best wishes,

    The Plusnet Team"

  9. Valeyard

    Plusnet

    wull do yer prowd

    (Except when we don't)

    1. Craigie

      Re: Plusnet

      I hate that tosser and all the tossers who decided his accent wasn't tosserish.

      1. Anonymous Coward
        Anonymous Coward

        Re: Plusnet

        "I hate that tosser and all the tossers who decided his accent wasn't tosserish."

        He's actually pretty good as a stand-up...

  10. Jamesit

    "We take the protection of our customers' data extremely seriously, and have informed the relevant authorities."

    No, you don't. If you did you would run the update on an identical test server to check for problems like this. If there are none then you upgrade the live server.

  11. Anonymous Coward
    Anonymous Coward

    Def not fixed as of this morning

    I raised the issue of being unable to add BT App to my subscription on Sat,Sun and Mon. Still broken. Support staff on chat didn't seem aware and call queue length very very long

  12. Anonymous Coward
    Anonymous Coward

    In the process of leaving PN. Won't miss 'em. They were good once.

  13. Anonymous Coward
    Anonymous Coward

    We'll do you proud ! - Oh Really !!!

    The system is utterly rubbish, I am yet to receive my bill and website is broken. I don't intend to stay here for long !!!

  14. Anonymous Coward
    Anonymous Coward

    Plusnet no longer supplying VAT invoices on residential accounts

    As part of these billing changes, Plusnet will no longer be providing VAT invoices on residential accounts. Apparently, they will be providing "simplified invoices", which cannot be used to reclaim VAT, presumably to force those using residential accounts in the course of their business to switch to business accounts. However, as the prices for business services represent a hike of more than 20% over the equivalent residential prices, I am not sure this will have the effect they are looking for.

  15. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      It's a cracker... maybe not quite the way they intended.

      https://www.netcracker.com/insights/press-releases/plusnet-selects-netcracker-for-next-generation-billing-transformation/

      contains the following

      “Netcracker was the clear choice as our strategic billing transformation partner given the outstanding rating capabilities of its next-generation Revenue Management solution and deep-rooted commitment to its customers,” said David Leather, Director Transformation and Billing at Plusnet. “Netcracker’s delivery record and cutting-edge solution will allow us to improve business agility and leverage enhanced customer billing functionality to provide the best possible customer experience which is a critical part of our strategy.”

      As part of the transformation, Netcracker will deliver its Revenue Management solution and migrate customers from an existing system to the new platform. Netcracker will also provide Plusnet with a number of professional services, including configuration, integration, migration and testing services to optimize Plusnet’s billing operations.

      [continues]

      See also https://uk.linkedin.com/in/david-leather-37210221 where he shows as "Director, Service Transformation, BT/EE" (account required for the full details, but Linked in Finland reveals this gem:

      "Totally driven by doing the right thing for our customers and our people, I am responsible for transforming BT and EE’s service experiences") [source: https://fi.linkedin.com/in/david-leather-37210221]

      Well clearly.

      He's a Twitterer too.

      So much for "social" netwroking.

  16. PeterM42
    Facepalm

    I guess.......

    ......it goes downhill from now on. PlusNet was great, but now............ we will have to wait and see.

  17. Anonymous Coward
    Anonymous Coward

    data breach still ongoing.......

    I can confirm that this breach is still ongoing nearly one month later.

    "We'd like to reassure all our customers that we immediately prevented access to the My Account section of the website and we quickly fixed the problem," she added.

    This is a lie. The problem is not fixed. The data breach in ongoing. Payment details are visible. Multiple people I've spoken to on telephone support either didn't know about a data breach or they have been told not to talk about it to customers who report data breaches.

    Given they have had weeks to fix this and have not I can only assume it's a massive mess and not a simple fix.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon