FYI UK People: Virgin Media stores Passwords in Plaintext

[Ethan.]

Twitter thread about it: https://twitter.com/virginmedia/status/1162756227132198914

 

Just thought I'd post this here for any UK people that use Virgin Media.

Also a massive GDPR violation so... file complaints away?

[vanished]

33 minutes ago, VegetableStu said:

"Posting it to you is secure, as it's illegal to open someone else's mail"

( /)_(\ we all can't be computer security experts, but...

 

Really though this is really bad, though certainly not unprecedented.  Didn't T-mobile or someone do basically the same thing recently?  They got caught storing passwords in plain text and then tried to defend it with equally incompetent nonsense

[mr moose]

There is a big one in Australia that does that too.    One day there will be laws that govern the minimum effort a company has to take to ensure security of these things.

 

 

EDIT: and before someone tries to claim GDPR is that law, it's not.  There is nothing that dictates the minimum requirement for storage of personal data, so long as it is not publicly available it is not in breach of GDPR.

[vanished]

10 minutes ago, mr moose said:

EDIT: and before someone tries to claim GDPR is that law, it's not.  There is nothing that dictates the minimum requirement for storage of personal data, so long as it is not publicly available it is not in breach of GDPR.

It would be interesting to know the specific legal terms that's spelled out in because this seems like a huge grey area otherwise.  What exactly is defined as "publicly available"?  At first glance it might seem rather black and white but when you think about it, it's actually quite a spectrum and who's to say where the line is drawn?

 

Edit: just to give some examples of what I'm thinking:

• Accessible through the homepage of a major website
• Accessible though a link that can be easily guessed or found through a scan, but one that is not publicized anywhere
• Accessible through something similar to the above but requires a password (and the password is something uselessly weak like "Admin", etc.)
• etc.

[SolarNova]

OMG those tweets are so funny to read.

 

VM have gone of the deep end if they truly believe what they have posted.

 

Either a colossal anus is in charge of tweeting ..or their account has been hacked, because its hard to believe a major company like them would open themselves up to massive legal repercussions by not only working that way but by coming out and stating it in such a way.

[mr moose]

10 hours ago, Ryan_Vickers said:

It would be interesting to know the specific legal terms that's spelled out in because this seems like a huge grey area otherwise.  What exactly is defined as "publicly available"?  At first glance it might seem rather black and white but when you think about it, it's actually quite a spectrum and who's to say where the line is drawn?

 

Edit: just to give some examples of what I'm thinking:

• Accessible through the homepage of a major website
• Accessible though a link that can be easily guessed or found through a scan, but one that is not publicized anywhere
• Accessible through something similar to the above but requires a password (and the password is something uselessly weak like "Admin", etc.)
• etc.

If someone from the public cannot access the information without a password or by deliberately penetrating a network designed  not to be accessible to them, then it is not publicly accessible.    I believe it would simply be a civil case between the two entities. GDPR as far as i know only dictates privacy as rights, not conditions exacting data handling specifications.

 

 

[Ezzy-525]

The best response from that twitter thread from someone taking the piss out of VM:

 

"Don't worry! Storing passwords in plaintext is secure, as it's illegal to hack a database."

 

As a VM customer I'm shocked at how piss poor the information security of one of our largest ISP's is. And given that these things tend to be industry standard...I'm guessing they're not the only ones who are bluffing their way through the gig.