Big Plusnet UK Billing Upgrade Suffers Bugs and Personal Data Leak

Customers of budget broadband ISP Plusnet appear to have experienced a turbulent weekend after a major migration of their billing system, which the provider had described as being “one of the biggest projects the company has undertaken“, suffered bugs and a small personal data leak.

Historically migrations or upgrades of major database driven systems (email, billing etc.) rarely complete without causing a few headaches, which is perhaps to be expected given the vast amounts of data involved and the tendency for all sorts of unusual errors to occur along the way.

The upgrade process itself – classed as “routine maintenance” – began on Friday 31st August and meant that their advisors weren’t “able to deal with account specific queries and some of our web pages are unavailable” (e.g. customer account pages). The process was only supposed to last until Saturday morning but the disruption continued into Sunday and the same notice is still present on their Service Status page this morning.

The reason for this delay soon became apparent as both former and existing customers alike began reporting problems, such as receiving incorrect billing notices or payment requests. Unfortunately the system outage meant that not even Plusnet’s support staff could initially chase up those complaints.

Now The Register has reported that Plusnet’s upgrade also resulted in a seemingly minor personal data leak, which meant that a “handful” of customers were able to view the contact details (name, address etc.) of other users at the same ISP (note: it’s possible this may have affected more than a handful of accounts as that only seems to be the ones they’ve identified). Thankfully this didn’t include any financial data.

A Spokesperson for Plusnet said:

“We’d like to reassure all our customers that we immediately prevented access to the My Account section of the website and we quickly fixed the problem.

We take the protection of our customers’ data extremely seriously, and have informed the relevant authorities [Information Commissioners Office].”

In fairness it’s possible that Plusnet may have actually done a better job of the upgrade process than you might think. We’ve seen plenty of similar large-scale billing migrations occur over the years and the fallout is often far worse and much more vocal, while this one passed by with only a relatively small number of gripes.

We’d be surprised if the ICO hit Plusnet with a significant financial penalty for the internal data leak, given the context, although this may depend upon whether or not the leak was truly isolated to only a “handful” of users.