UK ISP loses email database to spammer

Have you suffered from sudden increase in spam this week? If so, you could be a victim of an ISP data theft scandal, even if you’re not a customer of the company in question.

UK ISP PlusNet has this week become the latest in a long line of companies to fail to adequately protect their customers’ privacy. Confirming a major security breach in their webmail system, PlusNet’s Networks Director Phil Web said,

“On Sunday 13th May 2007 we received reports that customers were receiving spam emails to addresses that had not previously received spam. Following investigation of these reports it became apparent that a third party had illegally acquired a list of email addresses. This list was obtained from our Webmail platform and includes accounts that customers have used to login to Webmail…”

“[The] list is now being used to distribute spam email which continues to be sent to customers, and it is likely that this will continue.”

Customers’ address books have also been stolen, widening the impact to the friends, relatives and colleagues of those affected.

Though PlusNet’s webmail servers are separate from its credit card processing systems and customer databases, users have been advised to change their passwords immediately to safeguard against the potential for identity theft.

In an email to all users, Webb added that the webmail system was taken off-line immediately the breach was detected, and that it remains off-line due to further unpatched vulnerabilities. No timescale for a fix was given at the time of this writing.

I applaud PlusNet’s honesty in reporting to their users this security breach and subsequent data theft, and I’m sure they’ll direct all their efforts to resolving the situation as best they can. However, it is of grave concern that a major ISP has security arrangements so lax as to allow a failure of this magnitude to happen in the first place.

Questions must be asked about why the webmail system was so riddled with bugs that it remains offline even now, especially as it transpires a patch was already available for the exploited vulnerability.

Meanwhile, thousands of email addresses have been forever compromised, which translates to thousands of extremely annoyed customers and probably many more potential future customers.

Companies must be given an economic incentive to put their customers’ privacy first if cases like this are to be prevented in future. In the absence of any framework for imposing fines on companies that neglect their data protection duties, I hope that a large majority of those affected by this and similar incidents will choose to vote with their feet and their wallets.

[update 1]: PlusNet have announced they’re enabling server-side spam filtering for all customers to help mitigate the increase in spam caused by this incident. Previously, this was a premium feature.