Personally I

In reply to:

---

Overnight we conducted some pretty serious screw tightening across the board, but what we are aware of relates solely to the Webmail platform.

---

Is it just me that saw the resemblance of Plusnet to Railtrack and the fiasco over maintenance of points?

That you have "conducted some pretty serious screw tightening" is an admission that some screws were seriously loose at Plusnet (take that as you will!).

Two questions:

Do Plusnet have a policy of conducting periodic security reviews of all their systems and procedures?

If so, when was the last review review of webmail?

Additionally if those screws could be tightened overnight then I'd imagine not a huge amount of work would have been needed to have been proactive about this work rather than reactive. And it looks as if multiple 'screws have been tightened' implying as well as the now known hole, others were found during investigation. It's great that they've done it now, but why is it PlusNet repeatedly can't put resources into ensuring these things don't happen in the first place? Amazing how this same company attitude has come back to haunt me even long after leaving as a customer because of it.

It would be interesting to get answers to those questions jelv, but they sound sorely like questions we've asked and never had adequately answered in the past. I hope I'm proved wrong though.

Also at 7.33pm last night it was "confident that we have resolved this issue"

But the "screw tightening" was done over night!

Would have thought the "screw tightening" would come before resolving the issue!

I've supplied them with a test email address that I can't remember having ever been used by webmail and it was only known by me. It was setup and used via IMAP/POP3 a couple of times a couple of years ago. It did have messages sent to it from an address that has been accessed via webmail, but those messages weren't set by webmail AFAIR. So there is a link to webmail but it's pretty tenuous.

Will be interesting to see how things pan out. Thankfully the non PlusNet e-mail address linked to my old account for communication/billing/etc (but never to any PlusNet email addresses) seems to be untouched. Unless of course any spam it has received has been intercepted en-route.

In reply to:

---

Thankfully the non PlusNet e-mail address linked to my old account for communication/billing/etc (but never to any PlusNet email addresses) seems to be untouched.

---

For me, these are exactly the addresses that are being hit.

they are obviously 2 years ahead of themselves.

Too be fair, you don't now you have a problem until you have a problem! A lot of fixes/patches are mainly after the horse has bolted unfortunately. I really don't think I company can say they are water tight anymore.

Its still a valid question to ask does plusnet feel it is doing all it can to protect our personnal information? Perhaps Ian, in the next few days, at do FAQ on how our information is looked after both internally and from external attack? Ian?

The nature of the "leak" would be informative.... external hack? system weakness, inside job etc...

I'm aware that they use several pieces of externally purchased/open source software. I'd be especially interested to know what policies and processes they have in place for monitoring resources for known problems with these pieces of software [Perhaps one for the FAQ Ian?]

I know for people I've done work for I maintain an asset list of software installed, what version, patches applied etc. and monitor applicable security lists/fora etc. to make sure that I know what vulnerabilities have been identified and take proactive steps to resolve them.

Of course - if they succumbed to a previously unknown vulnerability then I'm not sure what else I would have expected them to do - but if it turns out that this *was* a known apache/perl/atmail bug then some serious questions have to be asked.