ISP PlusNet has had its email database stolen and its users' accounts
bombarded by spammers, AGAIN!.
The attack first surfaced yesterday, when PlusNet punters reported that
previously spam-free email addresses were being filled with unsolicited discount
pharmacy marketing. Some forum posters report that a few of their webmail
contacts have received more spam too.
In a statement, BT-owned PlusNet said: “It has come to our attention
that a number of customer email addresses have been obtained illegally by a
third party. We are in the process of contacting all affected customers in
order to inform them of the incident and of any steps they need to take to
ensure that their internet connections and computers are safe.
“We regret that this has happened but are confident that we have
resolved this issue and will monitor the situation closely to ensure that the effect
is minimised and the issue does not reoccur.”
PlusNet has not revealed whether it has been hacked or if the data was
obtained illegally some other way.
The news is a huge blow for PlusNet, which recently
completed migration to a brand new £250,000 NetApp email platform. The last
time accounts suffered from a spam attack was this April, mid-way through
migration, at which time the firm said its new hardware would remedy its email
One unlucky PlusNet user contacted PJC Journal to confirm
that they had received a comfort email from BT/PlusNet to advise that they have
assembled a task force to address the issue that includes a board director.
They are requesting that people do not contact customer services about it, as
they are trying to contact those affected.
It would appear that PlusNet have a very lax email creation
policy, which allows email addresses in the form of firstname.lastname@example.org,
so one can make up lots of throw away addresses, which would only go to hinder
any enquiry to identify who had the lax security! Almost sounds like a spammers
There is also speculation amongst users as to whether the legally required data retention areas of the PlusNet system have been hacked, releasing details
of users sent and received emails.
There have been warnings by many security experts that this
would eventually happen and that the keeping all of your eggs in one basket
method is inherently dangerous.
There does need to be a full and detailed report from the
task force, an undertaking to the users of this service that PlusNet will take
responsibility for its lack of security, and a considerable investment made in
tightening up that back end security.
For its lack of due diligence in securing customer details,
this organisation may be an ENABLER of ID fraud.