A cautionary, Thames Watery tale on how not to look phishy: 'Click here to re-register!' Thames Water found itself in warm, er, water this week after a clunky migration effort left customers receiving emails that looked like a particularly sophisticated spear-phishing attack. A Register reader got in touch after receiving an email purporting to be from the company and requesting that he re-register his online …
Well, here a few years ago Regione Lombardia started to send many requests to pay "unpaid" road taxes for the past years. Strangely, it was sent to many people who actually paid it.
I'm quite sure they lost the data, and thought it was a good idea to send those requests - those who had paid would have sent the receipts, those who no longer had the receipts would have paid again (bonus!), together those who actually didn't pay.
So, if Thames Watery just asked to re-register, it was the less evil....
"...centralised on an IBM mainframe..."
We found it curious that Thames Water insisted how the need to re-register was for privacy reasons,which sounds like a half-baked 'dog ate my homework' cover for 'Yes, we really didn't think this through'.
Turns out both are true. Accounts have been ported to some Microsoft backend service a consequence of which leaves LastPass scratching its head (so much for bookmarking then).
The site now reports NET::ERR_CERT_DATE_INVALID - which is nice...
Don't complicate things with that newfangled domain forwarding witchcraft. It'll only confuse these outsourced IT departments that can't do proper migrations in the first place. How you lose "some" customers records in the first place is beyond me, should it not be all or nothing once you map them over? Unless they really couldn't do it and everyone has to re-register first so they can actually do the rest of the migration using the account number.
everyone has to re-register first so they can actually do the rest of the migration using the account number
Asking for a re-registration is a good way of identifying when contact details are stale - which is a huge problem for historic utility companies.
To those who reckon this will result in cutoffs:
If they can't find the client, what's the betting they've lost the meter too?
"If they can't find the client, what's the betting they've lost the meter too?"
Call me cynical, but if there's one thing you can guarantee they haven't lost its the meters. It will have been number one on the list of requirements to ensure all meters were transferred.
For small businesses and personal contracts, sure.
When you're dealing with Council and business accounts over 50 years, though (don't forget we're dealing with Thames Water), it can be a dog's recycled breakfast.
And don't forget that the reason pipe marks are made on the pavement when works are being put in is because often the pipes are not where they are supposed to be...
I had an absolute bear getting my account away from nPower when I moved because they had my name down as "Mr The Occupier".
I don't entirely understand how they managed to have the correct bank details and not put my name on the account. When I called them to say Id moved house (and, thank the gods, supplier as well) they were a bit "we need to talk to Mr Occupier" at first, bless their incompetent hearts.
There's the Normans, all those Fitz-es, although people forget the French connection, but the group that come most readily to mind are the Huguenots. I was looking for an excuse for O' with a French sounding ending, but in reality don't think any French surnames were ever actually O'-ified (interestingly both O'- and Fitz- are originally patronomics).
There were a couple of Normans that went west, but they landed at Hastings (in 1066) and didn't sail westward again for a couple of centuries. And the protestant Huguenots didn't go to Catholic Ireland. Lots of the ended up in the Netherlands and South Africa. And yes, O' usually means "son of", just like "Mac" and "Mc" (but not in the case of Machiavelli ;) ), while "Fitz" means "bastard son of". For that matter, I don't understand those Yanks giving their sons (mostly middle) names starting with "Fitz", one of the more well known ones being John FitzPatrick Kennedy.
It does seem bizarre (I'm Sorry I Haven't a Clue once started a recording somewhere in NI with the story of the "Huguenots who fled to Ireland to escape religious conflict"...), but it is true. You have to remember there were all kinds of non-conformist churches (the Ulster Folk museum has a family tree of the various sects somewhere), and the Huguenots contributed to the success of the Irish linen industry: https://www.culturenorthernireland.org/features/heritage/huguenots-ireland
I re-registered before i received the e-mail - and one of the security questions failed to implement the correct answer.
Also - the loss of data is an annoying aspect. They asked for feedback every time you log in, and i always requested the ability to download your data as a CSV, but this never materialised. Now with the loss of data - tracking your past usage is much harder.
As per telephone bills, they should allow you to see your usage on a day by day basis in document form, if the data is there.
I've worked on a couple of historic utility company CRM systems and migrations.
You have twenty contacts that are the same person, with four email addresses, one of which is a redirect following a buyout and one of which is invalid.
And then you find that it's not the same person, but one is a former colleague that took over their accounts for some sites but didn't change the name on the account, just the email.
Not excusing Thames Waters ham-fisted migration in this case, but forcing a contact renewal every ten years or so just makes sense.
Your script will only help when that twenty becomes two hundred, but it only goes so far.
The email I received didn't show my original account number, but the new one they had created for me, so I had no way of knowing whether the email was legitimate.
So I logged into ThamesWater as usual (i.e not through the email link), couldn't find my new account number but was invited to re-register, so I decided the email must have been genuine, and used the new account number they had sent me. Account details were ok, so minor hassle in the end.
That's when things turned out even weirder. I logged out (or was logged out), and when I tried to log back in, my password didn't work (the same password that had worked 5 minutes earlier). I used the 'reset password' link and received a nice, secure new password by email: "bdcee4", kid you not. Except, this password didn't work! So I tried my initial password again, this time it worked but I was prompted to change it anyway. All right I thought, I'll just copy/paste my current password twice: error, the passwords don't match! WTF? Copy/paste again, and I notice that the password string looks "2 bullets" longer (or shorter) in the "Confirm password" field. Yes, one of the fields will happily accept 18 chars or more while the other is limited to 16! Removed 2 chars, and my 'new' password was accepted.
So now I have a brand new account number (was that really necessary?), and my password is 2-byte less secure (that really wasn't necessary), Thanks TW!
Wouldn't it be a great id for Thames Water to reassure their customers that this is genuine. If only they had a website where they could inform the public of what's going on.
There is a website at thameswater.co.uk but it can't be genuine. All it does is issue self-congratulatory pats on the back to Thames Water instead of admitting that they've made a balls-up.
It's official management policy in Thames Water to declare any failure a success. Like when they spent £250 million building a desalination plant that was supposed to have a 150MLD capacity, but can barely run for more than a couple of days at 25MLD. Didn't stop then CEO Martin Baggs from singing its praises in a self-congratulatory wank-fest of an opening ceremony.
"We're sorry for any concern this has caused and always encourage our customers to contact us if they're ever unsure about any letters, emails, calls or visits they receive from us or anyone claiming to be from Thames Water."
So every time those bloodsuckers at HomeServe send scare letters under the Thames Water logo we should contact them?
As for the migration and re-registration cock-up... pratts.
It's more than just TW passing customer information to the charlatans at Homeserve. I get them from my current water company, and the previous one before I moved.
Worth noting that anything that looks water company related, but is really spam from Homserve, is marked "Marketing information enclosed" somewhere on the envelope. Just scribble over your address, write "Return to sender not known" and pop in the nearest post box. Let them deal with their own shite. It's never caused a problem back to my water company. Alternatively I open it, and fill the reply paid envelope with a selection of the take away, taxi and estate agent leaflets I get through the door and send it to them. See how they like getting some of my junk mail!
Do not trust any public announcements from Thames Water regarding any issue at all. There is barely anyone left in the company that actually knows what they're doing, and the customer communication is left in the hands of totally clueless people.
This extends beyond IT issues, and into the realm of operational matters and public safety. One example occurred last year during a burst main event in Hammersmith. They actually tweeted out that discoloured water is safe to drink. (It most certainly is not; they probably meant aerated water, but the people sending these public communication simply have no clue.)
Anyone who uses unecrypted unauthenticated email for sensitive transactions must have their brain switched off. Such email is the equivalent of sending a postcard written in pencil via an untrustworthy courier. Nevertheless, it's now deemed sufficient for the forming of contracts.
Brave new world!
"The problem, ..., was that not all data had survived the migration from the company's 40-year-old billing system to something new and shiny"
One of two scenarios:
1. They planned not to migrate all the data, in which case WTF were they doing sending out communications in they way they did; or
2. The migration failed and data was lost (did not survive) in which case WTF were they doing during the testing and trial migrations?
Either way WTF!
"2. The migration failed and data was lost (did not survive) in which case WTF were they doing during the testing and trial migrations?"
They didn't have any, obviously.
You need actually compentent people to make migrations like that, as it's a given that some of the data in old system is pure crap and needs to be sanitized first.
That costs money, so they skipped it, put some general rules "field x into field y" and migrated everything. Afterwards they realize >3% of data is missing as migration script couldn't fit field x content it into field y.
One typical reason for that is that old field is 7-bit (or 8-bit) ASCII and new field is UTF-8, similar length. "Data can't grow while being migrated!". Right.
Add single special character and oops, data overflow, reject whole record. And no data in new system.
I get regular emails to my nhs.uk account asking me to open the attached encrypted html file. They are genuine, from ESR, the electronic staff record people. The thing is, no matter how hard they scratch their heads, peeps cannot work out how wannacry got into the system and why people felt safe to click such emails.
If the good guys continue to engage in bad guy practice, the end user won't know which emails to trust and which not to. And I have reported at least 2 unsavoury emails to Trust IT departments that were truly bad.
Once upon a time, in a land far away, there was a big retail company. This big retail company had a lot of customer databases (was it twelve? I can't remember.) Anyway, they decided to have a project to merge all these databases into ONE BIG DATABASE.
*
When the project was nearing launch time, the VP nominally in charge of the project decided to see just how he (it was a he) figured in the new merged database. What he found was that he appeared at least four times in the database. When he asked the IT people about just how the project had merged the records, this is what he found:
- He had lived at multiple addresses as he transacted business with the company as a normal retail customer
- Over the years he had used multiple credit cards to transact business
- He had appeared in many of the original databases
- The algorithm used to "merge" records had decided that some of these separate database identities were different customers
- The algorithm had even decided that multiple records in a single original database were different customers (address and credit card differences)
*
Ah.....the joys of legacy Customer Relationship Management. Welcome to the future!!
By the way, in the USA it used to be common for companies to use Social Security Number (SSN) to identify individuals. Quite apart from the privacy problem, the idea was that SSN was unique to an individual. Alas, not so. It turns out that the Social Security Administration has issued duplicates an unknown number of times.
*
To really screw things up you need a government AND A COMPUTER!!
"How does data not survive migration?"
Easily. Old system has freeform text, new system has formatted fields and cross-checking and all bells & whistles, while old system was basically automated version of pen & paper.
The amount of crap inserted to this kind of systems is staggering and migrating that to any system which verifies the data first is nigh impossible: Can't verify the data.
Then there is this physical conversion from 7-bit ASCII to UTF-8 .... 32 chars(bytes) does not fit to 32 bytes any more, even single special character is enough if the field is full.
Here in North we have ÄÖÅäöå and each of those is at least 2 bytes in UTF-8 ... somehow data grows while being migrated.
Hi, El Reg team!
You may want to follow-up on this story... someone asked in the comments if they lost some data during transfer... well, I can confirm to you that Thames Water created a move on my account, affecting me a new meter and a new address (that I've never seen in my life), leading to billing problems. All happened around the 14/15/16 October, obviously. And getting an answer and a cancellation seems to be quite an ordeal.
Antoine.
PS: also, there's this story about login.microsoftonline.com ... and they payment processor which redirects you to some third party website (worldpay) without any reference in the frame asking for your banking card details...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
