ESB Data protection breach

syklops · 28-07-2009 7:03pm #1

Hi,

This morning I received my ESB bill via email. To my dismay I realised that ESB had not used the Blind Carbon Copy function of their email client so everyone who received the email, is also able to view the email addresses of everyone else on the . Over 50 addresses in total.

I have emailed them to complain about this blatant disregard for information security, and have brought the matter to the attention of the Data Commissioner.

I will let you know how I get on.

I have not dealt with the Office of the Data Protection Commioner before. Does anyone know what I can expect to happen next?

Thanks,

-S-

probe · 30-07-2009 2:49pm

Perhaps you should email everybody on the cc list to advise them of the ESB's incompetence - using Bcc, obviously!

ESB bills should be sent as individual emails - using the "To" field rather than any of the "cc" fields.

Snail mail is better. If everybody gets their utility bills and similar by email, Ireland will end up with no post offices - no An Post! At least the continental post offices own and operate banks within their branches with a large market share to help fund the entire operation.

If someone intercepts your ESB bill over the internet, and prints it out on a colour printer in good quality, they can use it to steal your identity (eg as proof of address for opening a bank account, getting a loan, credit card, whatever).... Web based email services are particularly vulnerable to email intrusion (eg where the intruder claiming to be you tells the email provider that he has forgotten his password). All he needs in many cases might be the name of your dog or first school.

Fnergg · 30-07-2009 4:40pm

What happened here is that a small number of customers (50 odd) were able to see the email addresses of other customers through a human error.

They were not provided with any account information, account numbers, telephone contact numbers or any other sensitive data - just email addresses. There was nothing in the email that would have allowed any of the recipients to access the account information of any of the others.

It shouldn't have happened of course but in the overall scheme of data protection issues it's very small beer indeed.

Regards,

Fnergg

Abelloid · 30-07-2009 6:45pm

Excuse my ignorance but what is the problem? It's just a load of email addresses, isn't it?

probe · 30-07-2009 7:23pm

Fnergg wrote: »

What happened here is that a small number of customers (50 odd) were able to see the email addresses of other customers through a human error.

They were not provided with any account information, account numbers, telephone contact numbers or any other sensitive data - just email addresses. There was nothing in the email that would have allowed any of the recipients to access the account information of any of the others.

It shouldn't have happened of course but in the overall scheme of data protection issues it's very small beer indeed.

Regards,

Fnergg

While it may not have directly provided account numbers etc, I suspect most people know the name of their neighbour's dog etc, and if they were so minded could use the fact that neighbour x uses yahoo or whoever and try and grab their password. Or do some searching in google and find their social networking page with details of the person's dog...... Blatant incompetence on the part of the ESB. Not human error. If a utility is going to provide bills by email, they need to create a system that works and test it.

probe · 30-07-2009 7:25pm

JustinOval wrote: »

Excuse my ignorance but what is the problem? It's just a load of email addresses, isn't it?

Put the "load of email addresses" in google, yahoo and bing (one by one) and see what it yields forth.

A clear breach of data protection law.

Abelloid · 30-07-2009 7:33pm

probe wrote: »

A clear breach of data protection law.

That may be true but I still can't see what the problem is.

Fnergg · 30-07-2009 8:51pm

probe wrote: »

Put the "load of email addresses" in google, yahoo and bing (one by one) and see what it yields forth.

A clear breach of data protection law.

I took random Flickr contributors, searched their profiles, got their email addresses and searched Google etc., as suggested and got...zilch.

My own email addresses are out there on several websites. I've never had any problems.

Regards,

Fnergg

Tim M-U · 31-07-2009 8:32pm

used to get it via email (few months back)...

..changed to airtricity! (resession!)

that god i didn't go with bord gais or ESB!...i

Amalgam · 31-07-2009 8:40pm

probe wrote: »

If someone intercepts your ESB bill over the internet, and prints it out on a colour printer in good quality, they can use it to steal your identity (eg as proof of address for opening a bank account, getting a loan, credit card, whatever).... Web based email services are particularly vulnerable to email intrusion (eg where the intruder claiming to be you tells the email provider that he has forgotten his password). All he needs in many cases might be the name of your dog or first school.

You would be amazed at what you can do with just an ESB bill and maybe a dodgy piece of identification with a matching name. I had the misfortune of living in the same building as people who stole utility bills, because it is so easy to then use them as qualifiers for services, mobile phone, video and DVD rental, bank etc..

Never ever throw out utility bills in one piece\good condition.

Fnergg · 01-08-2009 6:57am

Tim M-U wrote: »

used to get it via email (few months back)...

..changed to airtricity! (resession!)

that god i didn't go with bord gais or ESB!...i

The Airtricity data protection breach seems to have passed you by. In January 2009, Airtricity confirmed that they inadvertently made available on their website the personal and financial details of 1200 of their customers who’d signed up online for their electricty service.The incident actually happened in November, but wasn’t noticed until January.

Regards,

Fnergg

ESB Data protection breach

Comments