• Welcome to Photography Forum. Our photography community!

    Photography-forum is dedicated to those who have passion, desire and love of photography and want to improve their photographic technique. It doesn't matter what you photograph, landscapes, weddings, portraits or your photographic experience, it's about learning and loving what we do. Photography!

    If you want learn and expand your photography skills then there is one place to do it Photography Forum !!!

    You are viewing photography-forum as a guest which gives you limited access to view most forums and enjoy other features. By joining our free community you will be able to post photographs for critique, join in the monthly photography competitions, respond to polls, upload content and enjoy many other special features. Registration is fast, simple and absolutely free so please join Photography Forum.

    If you have any problems please contact us.

    The Photography-Forum Team
  • PLEASE SEE RULES BEFORE POSTING LINKS
    Click here to see Forum Rules

...and then my mouth fell open... Password Sent to me in plaintext by Finance PLC

Andy 0

Always on
Joined
Aug 16, 2013
Messages
2,460
Photography Experience
Intermediate
Photo Editing Experience
Beginner
Edit my images ?
Yes (recommended)
Hello all,

Just a vent really, but just a warning to still be careful in 2020.

Yesterday I received a communication from a large financial PLC in the UK (millions of customers, not some wonky website) and at the bottom of the email was my password in plain text, as well as my date of birth, address and full name.

I telephoned them immediately - and after being shrugged off by a few call handlers ("would you like to make a payment sir?") I eventually got through to a manager, who passed me up, and up, and up, until I was speaking to a compliance officer.

Initially it was made out I was winding them up, and the gentleman on the telephone said "Oh, we keep a log of all the emails, I can see that it said..." and then he fell silent.

For about a thirty seconds I heard nothing...

"Oh, this is serious."

Now despite my protestations that they simply shouldn't be able to view passwords, and that the password should be a hash/salt that would mean nothing to anybody and that even it was made public it shouldn't matter, however this was just a plaintext password with the formatting suggesting it had been copied and pasted from another system as part of a Data-Protection Validation when I emailed them.

They've made it a reportable incident to the ICO I believe (and well, let's just say my account is now in VERY good standing with them) but just a warning boys and girls even ostensibly trust-worthy organisations are STILL holding passwords in plaintext. What was more worrying was one of the first managers claiming "if we can't see your password, how would we log in to your account?" Now he either misspoke -or- this firm is using a database of passwords and copy/pasting them in to a portal to log in to customers accounts.

I now need to change all of my passwords.

Use a password manager!

Just a heads up, just wondered if anybody else has experienced anything like this in the last few years?

Cheers,
Andy
 

Minor Problem

Always on
Premium Member
Joined
Jun 8, 2010
Messages
12,535
Photography Experience
Intermediate
Photo Editing Experience
Intermediate
Edit my images ?
Yes (recommended)
That beggars belief Andy! Very scary stuff.
 

Andy 0

Always on
Joined
Aug 16, 2013
Messages
2,460
Photography Experience
Intermediate
Photo Editing Experience
Beginner
Edit my images ?
Yes (recommended)
Luckily I have the telephone call recorded and I'm quite happy to name-and-shame unless I have their written assurance by end of play today that this is being taken very seriously.

In fairness the gentleman I spoke to in the end did take the matter very seriously (although I think it's a case of "sorry they were caught" rather than any true regret) and he couldn't explain why an email would be sent to be with "Customer Password - [My log in password]" in it. He was very aware of how to store passwords etc and couldn't understand how it happened. The gentleman was filling out (what I imagine) was a ICO form over the telephone with me as the questions sounded very specific.

They are an agent for EE and HBOS among other 'blue chip' companies so this could be devastating for them.

They did wipe my account (although that was in dispute and not applicable anyway, and seeing it was an £80 bill I think that was the first thing that sprang to mind) but this has cost me time as well as being utterly terrifying. It makes me wonder a) How long has this been going on b) Who is aware of this and hasn't spoken up c) How this has been signed off in data audits.

A very flashy portfolio website boasting (seriously) of how compliant there are with all industry best practice in their sector, lengthy privacy agreements etc...

More over, I simply emailed them, so I could have been absolutely anybody who had that information returned to my inbox at random.

Stunned, I was on the telephone to one of their rivals as I opened the email and I was genuinely stunned and fell silent.
 

Phill104

Always on
Premium Member
Joined
Feb 11, 2018
Messages
2,663
Photography Experience
Intermediate
Photo Editing Experience
Intermediate
Edit my images ?
Yes (recommended)
Stunned would be an understatement if that happened to me. It could if this got out cost them a seven figure sum.
 

Skyshot

Here a lot
Premium Member
Joined
Jul 22, 2018
Messages
353
Photography Experience
Intermediate
Photo Editing Experience
Intermediate
Edit my images ?
Yes (recommended)
That is a really bad thing obviously Andy and it's really good that you've pulled them up over it.

Whatever you do though, don't publish who they are online as it could cost lots of people serious money and major problems.

You could tell them that you'd be happy to sign a 'gagging order' for an 'agreed' sum though. ;)
 

Keitht

Always on
Joined
Jan 25, 2006
Messages
1,105
Photography Experience
Intermediate
Photo Editing Experience
Beginner
Edit my images ?
Yes (recommended)
As this has all gone quiet, I assume Andy had a successful outcome.
 

Skyshot

Here a lot
Premium Member
Joined
Jul 22, 2018
Messages
353
Photography Experience
Intermediate
Photo Editing Experience
Intermediate
Edit my images ?
Yes (recommended)
He's not logged in since the day after he posted this . . .
 

Minor Problem

Always on
Premium Member
Joined
Jun 8, 2010
Messages
12,535
Photography Experience
Intermediate
Photo Editing Experience
Intermediate
Edit my images ?
Yes (recommended)
Probably spending his earnings retired in the sun...
 

tenchy

Rain maker
Administrator
Joined
Aug 30, 2008
Messages
208,130
Photography Experience
Intermediate
Photo Editing Experience
Intermediate
Edit my images ?
Yes (recommended)
Awful!
I've had it from some more niche companies and sites, where it's not really an issue if it was intercepted, just irritation factor, but nothing like this.
I wish however I could be shocked that big companies are this poor.
 
Top