Demon ebill blunder exposes thousands of passwords
By Barry Collins
Posted on 23 Sep 2009 at 09:35
Demon Internet has sent out a spreadsheet containing the personal details of thousands of customers with one of its new ebills.
The spreadsheet - which has been forwarded to PC Pro - contains email addresses, telephone numbers and what appears to be usernames and passwords for the ebilling system.
The spreadsheet was sent to a PC Pro reader who was staggered to discover it attached to an email explaining how to use the new system.
Demon is refusing to disclose how many customers have received the spreadsheet, although it says it's less than a few thousand.
Police forces and NHS trusts are among the email addresses listed in the database
The Excel spreadsheet - which isn't password protected - contains more than 3,600 records. It includes the full name of the customers, email addresses, telephone numbers and names of the customers' businesses. Police forces, NHS trusts and government officials are among the email addresses listed in the database.
The file also includes two unidentified fields which adopt the same format as the username and password for the ebilling system that was sent to the PC Pro reader.
Demon Internet is blaming "human error" for the security breach. "Customer Information for a limited number of customers who had signed up to Demon’s new paperless billing platform has been circulated as an attachment to an email," a company statement reads.
"To be clear, this information did not contain any financial or payment information (bank details, credit card numbers etc). On discovery, Demon took immediate steps to secure the information/details and security of customers affected."
"We would like to apologise to all concerned but state that this was a limited and isolated case caused by human error and to reassure customers that their security is our key priority."
The PC Pro reader claims the incident is the latest in a series of problems to beset the Demon ebilling system. "Demon's ebilling has been a disaster and continued to be so this morning when relaunched," the reader told us. The company introduced a different ebilling system some months ago, but returned to paper billing following technical difficulties.
Is your business a social business? For helpful info and tips visit our hub.
Human error is natural, and I feel truly sorry for whoever pressed the send button.
However, the comment seems to be sweeping the issue under the carpet. Names, email addresses and telephone numbers are still a significant breach of not only security, but also customer trust.
It will be nice to see if Demon customers get an apologetic email (they haven't yet!), or whether it will be hoped that "no-one noticed".
By martinc on 23 Sep 2009
Human error is understandable, but the fact that Demon seems to have very little internal security seems very disappointing.
A spreadsheet with customers username and password should have been able to be distributed outside of the company system, I find it to be gross incompetence on the part of companies and organisations who have little or no internal document security system to prevent small breaches such as this.
I'll be taking note to stay well clear of Demon in the future.
By saqib_ on 23 Sep 2009
Note to Self
Note to self... Steer clear of Demon.
Hold on, I'm sure I've already got a similar note to self after last time.
By GlasgowGuy on 23 Sep 2009
Typical of Demon these days
Was with Demon >14 years. Left 1 month ago because I could take any more of their declining standards and awful customer service.
Can't say I'm surprised by this latest ebilling disaster. They seem to have made a real mess of this - I'm sure it's almost two years since they first tried to get this off the ground.
Demon need to be hauled over the coals on this and handed a massive fine. I'm far more concerned when my name and address gets handed out than when my credit card number ends up in the wrong hands. I can cancel my credit card - I can't change my name and address so easily. Name and address is all that's needed to carry out id theft. Wake up Demon!
By agavinm on 24 Sep 2009
Have to somewhat agree
'agavunm' you certainly got the customer services bit right!
I called one day to ask if I was upto date on payments. Instead of an answert the lady said that I needed to look at ebilling. The frustration of some literally 3 hours over 2 days to find ebill is just .pdf's of your last 13 months invoices beggars belief.
To now hear that with their new connect data (I got mine)this kind of thing has happened worries me. No one told me the extent of the problem. Probably the 'miscreant' will get promotion!
By photomanlondon on 24 Sep 2009
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to turn off Google Location Tracking
- 20 years of PC Pro: our greatest review mistakes
- 20 years of PC Pro: our first A-List
- Wikipedia's "right to be forgotten" protest hits the wrong note
- 3D printing hits the high street for plastic selfies
- 20 years of PC Pro: What amazed us in our first issue
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords