Maybe we should have a new category on the blog for "data breaches", since they're becoming the topic des jours. Recently the hosting company Fasthosts owned up to the fact that hackers managed to get access to its systems and compromised passwords - possibly including accounts for FTP and databases. The company emailed customers on October 18 telling them to change their email, FTP and login details:
We have reason to believe that the intruder has gained access to our internal systems, and that this may have in turn given them access to your username and some service passwords.
(Disclosure: I have a Fasthosts account, which has credit card and address details. So I've got, as they say, some skin in this.)
"Some service passwords"? Seems, perhaps, mild enough. (Although Fasthosts has reset the passwords for every account that hasn't already been reset by its customers.) But now the claims are that the breakin also compromised customers' personal details, including addresses and credit or debit card details used to pay for accounts.
That's the claim made in The Times, which says
The hackers managed to access the “master database” of Fasthosts for information, including addresses, bank details, e-mails and passwords.
This is of course potentially much more serious. Fasthosts says it hosts 1m domains, which implies thousands of customers (since many run multiple domains).
Security companies were quick to leap on this: McAfee approved a press release yesterday which said
Hundreds of websites have been shut down temporarily by one of the largest web hosting companies in Britain after the personal details of customers were stolen by computer hackers. The hackers managed to access the “master database” of Fasthosts for information, including addresses, bank details, e-mails and passwords.
So is Fasthosts denying that customers' details were accessed? After all, if they were, that would have serious implications for those customers. I asked their PR person to clarify - pointing out that if McAfee is making untrue assertions then it's putting Fasthosts' business at risk, so it's important to get it right.
The reply - at least the part relating to customer details:
we are currently working with the police and other relevant industry bodies, and we regret that we are unable to comment on any specific details that might prejudice the ongoing investigation. Due to the precautions and improvements made, the security vulnerability has since been removed.
This, you'll notice, doesn't answer the question. So I put it again. The reply from its representative:
[Fasthosts is] unable to provide any more specific detail on the network intrusion communicated in October, as I’m told specific details might prejudice the ongoing investigation. I can say that the precautions and improvements made since have removed the security vulnerability.
There's a fair old roasting of Fasthosts going on over at The Register, and meanwhile thousands of people (yes, including yours truly) are left wondering if their credit cards going to be buying Christmas presents for people they've never heard of - or if actually it's all perfectly fine. One feels that if there hadn't been an intrusion into the address/cc database, Fasthosts would have said so.
All of which leads us to some questions:
1) have we reached the point where companies which mislay data or find it has been accessed wrongly should have to own up, by law?
2) is online commerce broken? The problem is that whereas we keep passwords for FTP space in one-hopes uncrackable form (see this week's "How safe are your online passwords?" piece for advice on writing good ones), credit cards and addresses often aren't, because companies need those to bill us. (Feel free to contradict me if I'm wrong.) What we need is a way of hashing our credit card and address details so they're still useful to companies we have a relation with, but not hackers. Possible? Impossible? Tell me how.
Comments
Please note: In order to post a comment you need to be registered and signed in for Guardian Unlimited blogs.
You can register here.
Douglas Adams had it with a device that could store genetic data, isometric data, passwords et al in a single handy form that was impossible to hack. It was brilliant unless it was stolen, because when it was stolen the thief became more you than you were. Eventually, the only way for this to work for the consumer is for the retailer to own all the risk, and vice versa.
I am not ALobster, and neither is he.
Am I right in thinking that even if the worst happened it would constitute identity theft and be covered by the card issuer/bank? Or is this just theft? I don't like the idea that card details are that vulnerable as I (naively) presumed that card details went into an encrypted black hole at the server end which even the company's staff couldn't access and monthly payments would be automatic from within the machines. I have too much faith in technology.
As an aside, isn't it a bit strange that companies like Fast Hosts (and many others including Setanta) choose to take your card details and set up a monthly (or annual) repeat payment rather than use the direct debit route which would be safer for consumers? I suspect it is a ploy to protect their revenue stream which the OFT should probably look at.
After waiting an hour for the ill-named helpline (your number is 53, we will answer your call shortly) I was answered by an ill-mannered punk with the customer relation skills of Atilla the Hun. I was told having to change 1000 e-mail was better than somebody using my e-mail address, all in a barely post-pubescent whine. But where was the apology, did they steal that as well? When I asked who was responsible for this clusterf**k, I was told no one else was complaining.
They could call themselves pulling a fastone hosts.
Please note: In order to post a comment you need to be registered and signed in for Guardian Unlimited blogs.
You can register here.