Home
 » ISP News » 
Sponsored

KC Fibre Engineer in Hull UK Exposes Unencrypted User Passwords

Friday, January 17th, 2014 (12:51 pm) - Score 2,796
kc-hull-isp-engineers

At least one of KC’s fibre optic broadband engineers in Hull (East Yorkshire, England) could be in hot water after demonstrating a worrying lack of personal data security by effectively exposing the ISPs unencrypted user passwords (and other personal data) during an on-site service installation visit.

The incident occurred when an engineer, whom was visiting one of their customers (Chris Hill) in order to install the operators latest Lightstream fibre broadband (FTTP/C) product, began the process of setting up Mr Hill’s Netgear router for the new connection.

According to Mr Hill, the engineer then connected a laptop to the router and opened up a Spreadsheet that displayed a long list of customer IDs, phone numbers and passwords in plain text (unencrypted) format. On top of that the same details are also used to hook up the ISPs Karoo email service, including webmail and POP3, and at no point was Mr Hill he advised to change his password from the default.

It’s understood that the engineer, whom attempted to shield the data from Mr Hill’s prying eyes (top security measure there), commented that having such access to the data “makes our job much easier“. But that’s certainly not the only thing it makes easier.

KCs Statement (The Register)

The security of our customers’ information is of primary importance to us and we are aware of and take very seriously our obligations under the Data Protection Act. We investigate any alleged data security incidents promptly and thoroughly, and we act quickly to make any improvements such investigations identify.”

The operator added that “all of our laptops are encrypted, password-protected and fitted with tracking technology and the facility to remotely wipe data“, which is all well and good but it doesn’t matter a hell of a lot of beans if the file containing said data fails to keep the passwords individually encrypted. A crafty HD Smartphone pic is all it would take.

The fact that engineers could potentially also gain access to a customer’s personal email address by using the same information, and do not show how to change the password directly after they leave, is of similar concern. Mr Hill, perhaps understandably, believes that this appears to reflect a wider culture with how some or all of KC’s engineers work and he has thus lodged an official complaint.

By comparison other ISPs usually send individual passwords in a secure carbon-scratch form to the customers via a letter or put it on a sticker that’s attached directly to the router in its box. Some, such as Sky, don’t even reveal the password to customers (though this makes it harder to use a third party router). In many of these cases the email and connection password are also kept separate.

Leave a Comment
2 Responses
  1. Avatar Ian says:

    I moved to Plusnet recently, the password I provided to them whilst signing up online was sent out in a welcome letter, and I’ve been asked for characters from it whilst on the phone.

    Prior to that when I signed up for BT Infinity in 2011 they sent me an email with the password I’d just provided to them.

  2. Avatar bob says:

    Why would they even give an engineer access to all the user passwords,. That’s a fundamental failure of basic security

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Onestream £21.99 (*27.99)
    Speed 45Mbps, Unlimited
    Gift: None
  • NOW TV £22.00 (*40.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • TalkTalk £22.00 (*29.95)
    Speed 38Mbps, Unlimited
    Gift: None
  • Hyperoptic £22.00
    Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPERSALE
  • Plusnet £22.50 (*36.52)
    Speed 36Mbps, Unlimited
    Gift: £50 Reward Card
Large Availability | View All
Cheapest Ultrafast ISPs
  • Vodafone £25.00
    Speed: 100Mbps, Unlimited
    Gift: None
  • Virgin Media £26.99 (*44.00)
    Speed: 108Mbps, Unlimited
    Gift: None
  • TalkTalk £28.00 (*39.95)
    Speed: 145Mbps, Unlimited
    Gift: £14 for First 6 Months
  • Gigaclear £29.00 (*44.00)
    Speed: 100Mbps, Unlimited
    Gift: Promo Code: HELLO2021
  • Hyperoptic £29.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: HYPERSALE
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (2985)
  2. BT (2854)
  3. FTTC (1824)
  4. Building Digital UK (1799)
  5. Politics (1750)
  6. Openreach (1689)
  7. Business (1509)
  8. FTTH (1348)
  9. Mobile Broadband (1321)
  10. Statistics (1299)
  11. 4G (1134)
  12. Fibre Optic (1098)
  13. Wireless Internet (1072)
  14. Ofcom Regulation (1058)
  15. Virgin Media (1051)
  16. EE (746)
  17. Vodafone (728)
  18. TalkTalk (704)
  19. Sky Broadband (694)
  20. 5G (603)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact