Capita Education Services accidentally spaffs email addresses in Helpdesk snafu Capita Education Services had a bit of an oopsie yesterday as a new helpdesk system spurted potentially thousands of email addresses at unsuspecting users. A Register reader got in touch to express his surprise at receiving an email regarding a helpdesk ticket he didn't open, logged by someone he didn't know. To make matters …
This post has been deleted by its author
Why oh why have Microsoft not added an option to Exchange* along the lines of:
"Require additional verification if 'To' field exceeds <xxxx> addresses [Y/N]"
that is "Y" by default ?
Memory is dim now (which makes it even worse) but I have a feeling it was kicked about last millenium when RFCs were being circulated.
*Other mail servers are available.
And you would replace email with what ? Facebook postings ? Twitter notifications ? An SMS, maybe ?
Email is still very useful, especially in a business environment.
Obviously, for those who spend their free time on social media, yeah, not so useful. It's okay though, nothing they do there is useful either.
Email is still very useful, especially in a business environment
And some people still use faxes.. A tool might be old, but that doesn't mean it's not still useful.
Take an axe for example - they've been around for 100s of thousands of years, but they are still useful for reprogramming recalcitrant computers..
Considering that commentards have recently been discussing the virtues of IEEE-488 (an 8 bit parallel port from the late 60's I'd say no.
As for TELEX, why yes, it's still in use and a quick googling would answer that for you or for the terminally lazy ....
It's a nice idea, but not much help with automated emails: people who write code that might have to send large group mails would just write their mass mail code to limit the batch size to say, 100 addresses, and send the same email multiple times instead.
Like, uh... this one apparently was.
Well Capita User, the questions is.... Are you feeling lucky?
Do you trust Capita when they say "It was just email addresses and wasn't an external breach, honest guv" or do you think "hmm... I wonder what else went walkabout"
I couldn't possibly comment on the contents of the spam email but the link in it resolves to somewhere in Californiia... which doesn't look like Capita.
Theorising wildly:
Someone setup a Resolver Group who's membership was everyone in the directory (either as a test or because the system requires all users belong to a Team), called it "DO NOT USE" and then someone else used it.
Alternatively, "DO NOT USE" has a Null in the team members box and their ticketing system took this to mean "email absolutely everyone about this new ticket".
Reminds me of the time a certain leisure centre e-mailed out about 100 people updates to whatever it was. Only to realise they'd CCed everyone else in without hiding their address'
Oh shit.
Then it got VERY funny.
They e-mailed everyone to say they were very sorry about the mistake and it won't happen again (before GDPR). But in that apology e-mail, they did it again!
Very funny it was.
We got something like this in NHS.net a couple of years ago.
Someone managed to email all 750k users saying something like "test" and loads of brain dead middle managers (a redundancy I know) hit reply to all saying "please remove me from this list" and then others who hadn't read the first ones sent RTAs asking to be removed from that list!
make it un-reply-all-able
In a proper OS you could make the email address end up at /dev/null..
But that won't stop idiots^W people hitting reply-all and I'm not keen on Microsoft putting a 'cannot generate an email to this address' feature into Outhouse. Because that would lead to all sorts of calls to the helldesk.
That INC0000000 format smells very much like ServiceNow to me. Looks like someone within Capita created an assignment group and managed to attach a workflow to it that did the Bad Stuff. SN is very powerful but it's just soooooo easy to get the workflows doing all sorts of hilarity*
No doubt some junior underling will be getting beaten round the head as a result, ignoring the structural and procedural issues that caused them to do it.
*as did a colleague some years ago when we implemented/suffered SN at work, and they managed to make a workflow auto-update all tickets with an incoming email action, which then triggered the incoming email action and updated all tickets, etc etc...
We had similar issues after introducing SN at the behest of the company that bought ours. I'm sure if perfectly managed it can work well, but by default the Customer Service Module behaves in very strange ways and it's very easy for a user to accidentally mass-email people even if using the system as instructed because of the weird workflows that get invisibly applied.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
