Data retention… be afraid, be very afraid.

Nov 01

Why is this data retention stuff scary? Well, in addition to stuff like mismanagement of security credentials for sensitive health data, this one below is from the horse’s mouth: an email from me to my ISP at the time, back in April 2011.


To [ISP] Support:

I have been a [ISP] customer for several years.

Yesterday I set up individual e-mail addresses on my [ISP] account (marshallroberts@[ISP] for my son and daughter. My son’s was to be [sons-name]@[ISP] I was advised that if I didn’t hear anything from [ISP] in 24 hours, the account would be fine to use.

Not having heard anything, I set up my son’s e-mail client to log in to his new e-mail account, and was surprised to see 240 odd emails start downloading.

From the content and addresses of the emails, it seems that I was downloading the emails belonging to a teenage [sons-name] [surname], dating back to February 2010. Among other things, these emails included photos, facebook information, and at least one username/password combination to a school-based, web-hosted account.

As a parent and an IT consultant I am horrified to think that as a [ISP] account holder, my data, my family’s data, and my clients’ data, could be indiscriminately distributed to someone who happens to create an e-mail account with the same username.

I would appreciate an explanation of how this could happen, what will be done to ensure it can’t happen in future. As it stands, [ISP] appears to fall a long way short of adhering to the Privacy Act.

Thank you,

Marshall Roberts.

I also contacted the parents of the child whose emails I’d just received (because I had their contact details, courtesy of the ISP) and advised them of the breach.

The ISP’s first response indicated a “failsafe” had failed. I pressed the issue further, since this was rather obvious. Eventually I was advised that the accounts of some users were to be ‘migrated’, which left a ‘window of opportunity’ during which accounts using the same username could be created. My raising the issue meant that all remaining customers were ‘force migrated’ to close the window of opportunity. In short, if it was an isolated incident, it was just pure luck.