ESB customer data vulnerable to security attack

probe

The ESB has the sexiest database in Ireland for ID thieves. The name and address and lots of other information about every household and business in the country - including bank account information, credit card details and perhaps a lot more.

According to an article in the Irish Times recently, these data do not appear to be encrypted. And no doubt there are dozens / hundreds of copies of the data in backups in various locations. All unencrypted?!

When are the incompetents at dataprivacy.ie going to take action against companies such as the ESB to take proper care of customer data? Many retailers in Ireland are still getting away with swiping the magnetic stripe of payment cards and storing these data at the point of sale on their corporate computer networks, for no good reason. Long after Ireland has rolled out the EMV card and PIN. The retailer has no business storing card number details or physically handling your card.

In France, all retail point of sale transactions are captured by a bank controlled card machine (into which the customer inserts the card themselves), and the data transfer between the chip on your card is transmitted in encrypted format between the chip and your bank - keeping the retailer out of the clear text chain.

.probe

http://www.irishtimes.com/newspaper/ireland/2008/0721/1216565492630.html

BoB_BoT

great sounds freakin fantastic. It'd be interesting to see if it's easily accessible, suppose if you're working in the relevant IT department of the ESB, would it just be a matter of ensuring that the data access is not traced back to you. It's an absolute joke that a company as big as the ESB can fail to encrypt / protect data.

Although that article only mentions credit cards, it doesn't say anything about other type of payment data. Perhaps the new "higher security level" being required is different from their current solutions. Maybe they just encrypt the credit card number details, it'd be interesting to know what their current means of storage is for credit card details and all other details. That's a lot of maybes. :P

probe

BoB_BoT wrote: »

great sounds freakin fantastic. It'd be interesting to see if it's easily accessible, suppose if you're working in the relevant IT department of the ESB, would it just be a matter of ensuring that the data access is not traced back to you. It's an absolute joke that a company as big as the ESB can fail to encrypt / protect data.

Although that article only mentions credit cards, it doesn't say anything about other type of payment data. Perhaps the new "higher security level" being required is different from their current solutions. Maybe they just encrypt the credit card number details, it'd be interesting to know what their current means of storage is for credit card details and all other details. That's a lot of maybes. :P

The ESB changed its customer accounting system a few years ago, replacing the previous system which was probably in situ since they computerised their accounts receivable system first. Under the old system, they had an intelligently structured simple account number structure (eg 4567 12 456) – which was based on the geography of the country – the first 4 or 6 digits of which would have made a good postcode system in infrastructurally screwed up Ireland….

The new system has a brain dead waste of numbering space – an account number (different to the old 9 digit account number) + an 11 digit “MPRN” number. For no apparent logical reason. If they wished to cater for unbundling the supply platform, they could far more simply add a few prefix or suffix digit(s) to provide the required resolution – leaving the existing basic account number in place.

With morons like this in charge of the “system”, you can be sure that it is not just card numbers that they don’t encrypt!

Aside from the silly idea of a utility accepting “credit cards” to settle their monthly bills. Contributing to the fools’ paradise of people living on borrowed money, expensively borrowed money.

.probe