back to article Demon splurges details of 3,600 customers in billing email

Demon Internet sent thousands of business and government subscribers an email this morning telling them all about a new e-billing system, and tacked on details, including passwords, for 3,600 customers. The email - supposedly from Simon Blackburn Demon's director of customer service - has been sent to customers opting for e- …

COMMENTS

This topic is closed for new posts.
  1. Doug
    IT Angle

    user names and passwords

    "A spokeswoman for Demon said the company had changed the passwords which were sent out and was in the process of changing user names too"

    What were they doing storing passwords in the clear in the first place. What were they doing emailing this document around the company.

  2. Anonymous Coward
    Anonymous Coward

    Errr...

    If they've changed all their usernames and passwords.. how will they be able to read the email being sent ?

  3. Aristotles slow and dimwitted horse
    FAIL

    Looks like...

    Someone might be looking for a new job then. With an attention to the minutae of data protection like that he should be able to have his pick of any number of govt. departments.

  4. Bernie 2
    FAIL

    Passwords in a .csv file?

    In plain text as well presumably? Wow sounds really secure.

  5. Anonymous Coward
    Anonymous Coward

    Re: Errrrr

    The usernames and passwords are for an online billing system for dsl and do not relate to services such as email.

  6. Anonymous Coward
    Anonymous Coward

    wut lol

    how hard would it be to block mails to external address if documents attached

  7. Tony 32
    FAIL

    LOL Maybe time to switch

    I spent a hour of so with Demon tech support last night and basically told to wait 36 hours to see if my problem goes away......... Maybe this is a sign to swap providers.

  8. Anonymous Coward
    Anonymous Coward

    Demon these days are a joke anyway

    Back in the 90s when I joined them they were a small company that cared about their customers. Since they got taken over by Thus they've increasingly turned into a faceless organisation that couldn't give a rats arse about them. Their helpdesk is hosted in abroad and is a joke - half the "consultants" on it have a tough time telling your their own name in a recognisable language never mind solve your problem - whereas it used to be in southend staffed by technical types who had a clue, and their webpages ftp service seems to have an issue at least once a week. This cockup doesn't surprise me in the least.

  9. Anonymous Coward
    FAIL

    Poundhost

    Similar to what Poundhost.com did the other day. See https://secure.grepular.com/blog/index.php/2009/09/21/poundhost-vs-rapidswitch/

  10. Anonymous Coward
    Megaphone

    Simply pathetic

    You don't store cleartext passwords in the 19th century. Oh wait...

  11. Eden
    FAIL

    Facepalm

    Someone's going to be missing out on their Christmas bonus this year!

  12. Stef 2
    FAIL

    Directors!

    Directors should never be allowed near anything that important - like email or anything with sharp edges.

  13. Winkypop Silver badge
    FAIL

    Management fail 101

    "Delores, come in here that pesky email program, it's made a mistake again."

  14. Denise HC

    Passwords

    I received the email and attachments - my details were not in the CSV file - but my password was...allocated to someone else. Demon don't have much "luck" with e-billing, their first attempt had to be suspended because it did not work!

  15. Woodgar

    Passwords In Plain Text?

    I agree with Doug - there is clearly something fundamentally broken if the passwords can be retrieved in this fashion at all, let alone posted out for all to see.

  16. Daniel 20
    FAIL

    "there was no evidence that ...

    ... anyone had logged in with someone else's details"

    And that evidence would look like what?

    www.duhmon.co.uk ....

  17. Anonymous Coward
    Paris Hilton

    WTF?

    Are this guys for real?

    This must a joke.

    Paris, just because.

  18. Anonymous Coward
    Anonymous Coward

    ...How?

    They say that nobody has used the credentials to login to their users accounts; but how do they know? especially if they used and got authenticated by the details they sent surely that wouldn't raise any errors unless they had some big brother tracking on everything logging in!

  19. Baldychap
    FAIL

    Security....

    ..They've heard of it.

  20. Andy Dingley
    Paris Hilton

    Demon is so last century

    The question isn't even why anyone is still with Demon: for some years now it has been why you're still with Nildram, to where you'd moved after the first mass migration away from Demon when Thus first got involved. As seems sadly inevitable, that bolthole went downhill too and it was time to abandon it in turn.

    (Andrews & Arnold are lovely though)

    Paris, because it's who Cliff would have chosen

  21. Andy Gates
    Unhappy

    Oh dear...

    ...and Demon used to be the good guys.

  22. Skizz
    FAIL

    Password

    The 'passwords in plaintext' is a non-issue. The e-mail was about a new service, e-billing, which required a username and password to log in. It's a chicken and egg situation. You need a password to log in, you have no password so how do you log in. Ah, yes, the provider gives you a password, but it has to be in plain text.

    This CSV file is just a data source for an e-mail merge that accidentally got attached to the e-mail itself. There's no reason to suppose the e-billing system stores passwords in plaintext.

    So someone pressed the wrong button in Outlook. Stupid mistake. Easily fixed. Nothing to see. Move along now.

    Skizz

  23. Anonymous Coward
    FAIL

    Passwords in plaintext

    Although they shouldn't be stored in plaintext, most ISPs have a need to be able to retrieve a plaintext password. Why?

    Well the one scenario I've definitely come across is when reporting an ADSL fault to BT, you need to submit the end user's connection username and password to BT in the fault report. You can't just change the password to something else, then submit that, as then you'd need to get the customer to change the password on their router.

    So before people comment about passwords being available in plaintext, it might be nice if they looked at the operational reasons for it.

  24. Mike Scott 1
    FAIL

    Prosecute them...

    This kind of thing is just going to keep happening unless and until some organisation is prosecuted under data protection legislation and fined the maximum amount possible. We keep being told how much identity fraud is costing the country, and how much police forces are spending to fight it. Demon's crime may be the result of carelessness, but it is a crime none the less and they should have to pay the penalty - Say £1000 per set of details, £360K should get thier attention...

  25. adam payne
    Joke

    Oops!

    That's certainly a case of **** hit the email recall button.

  26. Saucerhead Tharpe

    I'm glad I am no longer with Demon

    I was there for 12 years, first uding an Amiga A1200 for email, newsgroups (Thor) and the web (AWeb when you had to buy a browser)

    I left last year because I got Joejobbed on my pseudo sub-domain, and got 75,000 emails on my account.

    So minus a few marks for scanning incoming messages.

    Then they couldn't release my email back to my control, and the only way to get a new Demon sub-domain was to pay for the privilege.

    So I jumped. And I'd recommend others to as well

  27. Jason 71
    WTF?

    Hmmm

    "But the email also has a .csv attachment with 3,681 customer records on it. Entries include names, emails, telephone numbers"

    Are the going to change everyone's telephone numbers too....

    I hope they get screwed for this..

    Too many people getting away with it.

  28. Anonymous Coward
    Paris Hilton

    @ Skizz & @ AC 12:14

    @ Skizz -Have you EVER used an onlilne service before? Most (reputable ones anyway) allow you to enter your details, account number, address, dob etc and create your own username and password to avoid stupid mistakes like this and storing passwords in plain text.

    @ AC 12:14 - That may be a valid reason for connection details (although I'm not sure it is, and I wonder how many end users know about this practice?) but this was not the same login. This was for a new billing system that Demon should have allowed their users to set up their own accounts for.

    Simples.

    Paris? Because she's pretty.

  29. creacog

    distributed how wide?

    We know 3,681 sets of details, but would be interested to know to how many recipients?

  30. smudge
    FAIL

    @ Denise H C

    > I received the email and attachments - my details were not in

    > the CSV file - but my password was...allocated to someone else.

    Of course, it's not normally a problem if someone else has the same password as you, because neither of you would know.

    OTOH, if Demon are re-using a limited number of passwords, that would be naughty (my lawyer advised me not to say "criminal").

  31. Anonymous Coward
    Anonymous Coward

    @ Jason 71

    Jason 71: "Are the going to change everyone's telephone numbers too...."

    Good point!!

    Goodness only knows why such pathetic "toothless" data protection laws are allowed to continue.

  32. Anonymous Coward
    Paris Hilton

    @Skizz

    There's always a need to need to perform one access of a system where you don't have full access to credentials (ie. an initial registration), but there's so many different ways to achieve it in the year 2009, for instance;

    - verification against a challenge letter (yes, a real letter sent in the post)

    - verification against a challenge sent by SMS to a registered mobile phone

    - verification against a certification pad (like PINsentry), or software equivalent

    - verification against a password registered on a website in response to an an email containing a link with a reference

    Bottom line is that it is unforgivable that details are sent out in a fashion like this. This is not a High Street store enticing new customers with a loyalty scheme, it's an ISP that should know better. Back in the day they were a great ISP as well, full of technical competence and great on delivery.

    I agree that Data Protection action should be taken against Demon so that a lesson is taught to all companies that employ incompetent fools to manage data of the masses. If they have to think before pressing the button, they might prevent shams like this.

    Paris, because no password needed to access her backdoor.

  33. Bullet Brown

    @boltar

    What boltar said.

  34. Anonymous Coward
    FAIL

    She said there was no evidence of anyone logging-in using someone else's details.

    Reminds me of the old Thermos joke punch line: But how do he know?

  35. Anonymous Coward
    Anonymous Coward

    @Poundhost

    I heard about that too.. Apparently someone then replied to all with a rather unsavoury picture too.

  36. Rob Burke
    Thumb Down

    Shocked but not surprised....

    ... since a few months ag they sent me someone elses Invoice details by mistake.

    I'd like to get a hold of this CSV file to see if I'm on it or not.

  37. b166er

    Demon

    maybe for dial-up +10 years ago!

    They hosted one of the best Quake II Lithium servers though ;-p, so credit for that.

  38. Anonymous Coward
    FAIL

    Re: Password

    "So someone pressed the wrong button in Outlook. Stupid mistake. Easily fixed. Nothing to see. Move along now."

    So to "mail-merge" in Outlook you first attach the source data to the message? Quite the fail in waiting, that is.

  39. Anonymous Coward
    FAIL

    Not the first time...

    Quite some time ago, a Demon employee posted my personal details into an IRC chat room to "prove" he worked for them. I was furious. Has to be said, I am still a subscriber with multiple lines as, aside from this, they've always provided a great service.

  40. Anonymous Coward
    Anonymous Coward

    And another thing

    Shouldn't passwords be bloody encrypted anyway? What the fuck are these people doing? They're supposed to be one of the UK's oldest ISPs, I assume they're now senile?

  41. Jimbob 3
    Flame

    And I thought Public Sector only got it wrong..

    Yeah you see, Private companies *can* get it as wrong as the Public Sector.

  42. This post has been deleted by its author

  43. Anonymous Coward
    Paris Hilton

    nothing to do with the recent takeover, honest.

    It would take a more cruel person than I to mention that they were taken over by

    Clueless and Witless because their accounts deparment has always sucked royally.

    Paris, because she doesn't kiss and tell with customer details.

  44. Linbox
    Grenade

    Long time customer

    Quite sad to witness the slow, inexorable decline of a great company, whose cost-cutting out-sourcing mania resulted in me becoming an ex-customer earlier this year.

    Will no doubt be acquired at an enormous loss by somebody soon.

  45. Mike Gravgaard

    Demon

    Sounds like I left Demon at the right time then...

    Mike

  46. Michael Argast
    Thumb Up

    This is a good reason to not re-use passwords...

    This sort of occurrence is way to common, unfortunately. Hopefully, in this case, Demon was simply sending out passwords they had generated, rather than passwords previously used by customers, because, as well all know, password re-use is horribly high.

    You can see how this sort of thing would happen by a mail merge sort of activity, but it is also unfortunate that Demon isn't using technology that would have detected just this sort of accidental leakage and prevented it from occurring. Further to a previous poster's point, there are also great encryption solutions available that would allow them to send this information out without resorting to plain text emails.

    Michael Argast, Security Analyst, Sophos

  47. Charles Smith
    FAIL

    Good Luck Crims

    I've been with "A Tenner a Month" [Demon] for a while. A couple of years ago they tried to introduce e-billing for my account. It wasn't working properly then and still doesn't work for me yet.

    I wonder if the Crims will have any more luck gaining access to my account than I have had?

  48. Marc Wilson
    WTF?

    Demon passwords....

    I'm sure that New Scotland Yard don't need a Demon account- users there will be {name}@met.police.uk. It may be someone who /wishes/ he worked for NSY. Probably lives with his mother.

  49. Ian Chard
    FAIL

    Demon don't know privacy

    Today I phoned Demon to get them to check the access lists on a router they manage for my employer. All I gave them was the IP address of the router, and they told me everything I asked for. Didn't even give my name or company. More than a bit scary, and makes this story seem entirely expected.

  50. raving angry loony

    bring back that old time punishment

    A comma-separated file with cleartext names and passwords? Just HAVING that ANYWHERE means they need to spanked very hard. Actually sending it around means they need to the hung, drawn and quartered. What are these incompetent idiots doing in charge of anything more complicated than a swing set?

  51. Nick Kew
    FAIL

    Sounds like an improvement on ...

    When I signed up for Demon and paid a year in advance ...

    Never got billed for the following year ....

    .... they instructed debt collectors instead!

    Service was pretty erratic too, with extended outages (up to a day or more) depressingly common.

    Why anyone still subscribes to them is a mystery.

  52. hugo tyson
    FAIL

    thurs.csv

    I got that too. I was not on the list. Question is, did everyone get the same list or did we all get varieties? My attachment was thurs.csv but it was sent on Wednesday at about 0600. I guess someone was preparing the following day's mailmerge list....

  53. Anonymous Coward
    Anonymous Coward

    I did the rat thing in time, then.

    I was with Demon from just after they started until November, last year. It had gone downhill too far to be saved, and was just an incompetent shambles at that time. It seems like there has been no improvement, and, although being naturally cautious and initially reluctant to re-arrange things so that I could change, I'm glad I did, and just in time. Demon started as a small business that really contained knowledgeable staff who would help and sort things out quickly. After being initially sold, it transformed itself into a limb of a faceless money-making organisation that seemed to care little about its small private customers, and in which most helpful and very good staff were either driven away (thus resetting the "salary clock") or made redundant. How the mightly fell! The only thing left to wonder is whether it has actually reached the bottom yet.

  54. Lost in a maze of twisty messages, all alike.
    Boffin

    Re: Demon is so last century

    I was going to say 'nine years since sacking Demon/Thus and I haven't regretted a minute", but my Demon co-founder-member (remember them?) dingbat has expressed it first ..

  55. Anonymous Coward
    Gates Horns

    Some twit sending out batches of emails using outlook?

    Now that is really scary.

    Some poor temp on minimum wage straight out of scumbag poly with an honours degree in excel (to do the needful) no doubt.

    Alternatively employ someone who knows how to knock up a perl script properly and let the mail servers do the job instead. Might save a bob or too in litigation, never mind a good kicking to the share price.

This topic is closed for new posts.

Other stories you might like