Plusnet Liability

Ok seeing as there are many threads here and very long ones at that I decided to post here !

Having not been on here for a while I suddenly got an e-mail from Plusnet stating there incompetance yet again and furthermore giving out my details yet again.

I was one of the ones last Year who got sent an e-mail containing 28 thousand not 20 as was stated as I got these counted using software - and out of 28 thousand e-mails which I had 3 of mine in the list.

Now I am told they have had a server breach AGAIN and my details have been given out AGAIN even though I have been left from Plusnet for 18 months,

Now I don't give a rats bottom what excuses Plusnet state they are liable to keep their servers secure and updated, I host and sell websites and have my servers audited monthly and update them myself weekly for security holes and updates.

It is time Plusnet had legal action taken against them for their blunders time and time again - if they have infected customers computers with trojans or whatever then Plusnet should pay the price to have these PC's audited and repaired where needed.

I have my own PC's fully protected but many prob don't however it is not their fault if Plusnet through their incompetance and neglect have caused PC problems for customers and even ex-customers.

I still have all the details etc from last time and will add this to the list.

The sooner they stop these cowboys the better.

I think the question to ask is why they stil hold your email address. Do you still use them for email? Do you have a free dial-up account? If neither, you should ask the ICO to investigate whether the retention of your email in their system 18 months after having left is a breach.

Then read the get out clauses in the T & C's

21. Matters beyond our reasonable control

If we cannot do what we have promised in this Contract because of something beyond our reasonable control (including, without limitation, industrial disputes involving our employees), we will not be liable for this.

22. Our liability to you

22.2 We have no liability (whether in negligence or otherwise) for any loss not reasonably foreseeable by us when this Contract starts, nor any loss of opportunity, goodwill, reputation, business, revenue, profit, or savings you expected to make, wasted expenditure, data being lost or corrupted, loss or damage incurred by you as a result of third party claims or any indirect, special or consequential loss or damage howsoever caused.

One point.

In reply to:

---

furthermore giving out my details yet again

---

In reply to:

---

details have been given out AGAIN

---

From what I've been reading, Plusnet haven't given out any details. The details were obtained illegally. Now while one can't condone breaches in security, I've amazed that no one has even bothered to have a go at the perps of this crime. A bit like blaming the bank for an armed robbery.

I'll reserve judgement on the whole thing until the truth comes to light. If what Plusnet say is true, then eventually other parties will substantiate their statements. If not, then we all know the score.

Originally I was on free-online and was a moderator on free-online and f9 so was given free accounts on the other two sites f9 / plusnet to use / read those forums.

When I left they auto downgraded the accounts to the free dialup ones but I never used their e-mail all I ever got was the newsletter spins which I always bounced back anyway.

I used to log into their forums to read what was going on but havent for a long time.

There is more to this than they are letting on,

Two things, They might want to exclude liability for negligence but it is wishful thinking on their part and whether this loss was foreseeable remains to be seen. Secondly, the DPA regs about retention and security of said data can't (and hasn't been) circumvented by their Ts&Cs.

When I left they converted my account to a pay as you go dialup account. Does anyone know if it's possible to get Plusnet to completely remove it? I just logged into the portal and all my personal details are still there.

Yes, I did it last year. I hope they didn't just disallow me access to their portal but instead deleted the information altogether as I requested. I might be writing to PN to get a copy of my file to verify this fact.

But don't forget a T&C's of any company does not circumvent anything that they are legally responsible for.

I'm not saying the PN is legally responsible for this issue, but if they are, anything in their T&Cs won't get them out of it.

Given the fact that your website is still on their server and you can still update it, it doesn't look promising!

Don't forget the

In reply to:

---

Then read the get out clauses in the T & C's

---

But, and I'll keep saying this until I'm blue in the face, this fiasco has not only affected their customers (for some reason they appear to think I still have three accounts with them?), so their T

Edited by deleted (Thu 17-May-07 15:48:39)

In reply to:

---

4.6 When we provide the Service to you, we promise to use all reasonable skill and care of a competent Internet Service Provider.

---

Breach of Contract???

You should be able to contact them and request that all your details are removed from their records. There may be reasons for them not removing all records (data retention obligations), but those too will eventually expire.

There should be no reason for Plusnet keeping alive any communications with you, should you request they cease doing so, other than to settle any financial imbalances.

I'm not a laywer, and that's all based on my experience of the DPA, so ask PN, or others too before acting.

I hope for PN's sake you are wrong...

Only if you can prove that they should have reasonably done something to prevent it that they didn't - e.g. keep a list of all installed software and regular monitor them for vulnerabilities.

If you could prove that this was a published vulnerability that they *should* have caught then you might have a case - but quite how you'd prove that I'm not sure.

Stable door and bolted horse spring to mind

In reply to:

---

A bit like blaming the bank for an armed robbery

---

If the bank was using a safe that they knew was out of date, and had been superceeded by newer and more secure safes, then yes - I would blame the bank too.

It appears that stories are emerging that would point toward obsolete versions of software being used. Indeed N Armstrongs own words on the register seem to hint toward blaming this on underinvestment in the company under previous ownership/management.

Though of course at the time anyone making claims of underinvestment in order to artificially inflate the figures to make the business more saleable was a heretic...

Could one not argue that PN have used a non standard version of the supplied software, not recommended by the authors/vendors.

If RS can still access his webspace - perhaps he should upload a copy of his blog. That would be true irony

I've already suggested that!

Of course, there are more than a dozen statements from '05-'06 where PN were adamant that there was no lack of investment in the network or equipment, quite the opposite. Now let me quote you something much more recent:

In reply to:

---

28 March 2007:
------------------------
I have personally reviewed and approved the selection of the equipment
that we are in the process of upgrading to. I have full confidence in the
team that have been involved to date with the current upgrade and am
confident that we will be able to deliver this with no impact to our
customers.

If we do deliver successfully, I hope that you will be the first to
congratulate us. If we fail to deliver, I'll be the first on here to
apologise.

Regards,
Phil Webb
Network Services Director
http://bbs.adslguide.org.uk/showthreaded.php?Cat=&Board=plusnet&Number=2955315

---

I wonder if Mr Webb will be making an appearance on the board soon.

Edited by rsharma (Thu 17-May-07 16:01:25)

The link doesn't work!.

try this one
http://bbs.adslguide.org.uk/showthreaded.php?Cat=&Board=plusnet&Number=2955315

Wasn't that the mail storage platform?

The webmail platform is different.

That works

>Wasn't that the mail storage platform?

Yes it was.

>The webmail platform is different.

I didn't know that. Thanks for correcting me. Apologies to Mr Webb and his family for any increase in tension I might have caused with my earlier post. There won't be any need to make an appearance in front of the committee. Thank you.

Edited by rsharma (Thu 17-May-07 16:03:44)

In reply to:

---

Could one not argue that PN have used a non standard version of the supplied software, not recommended by the authors/vendors.

---

Not really - unless the flaw was specifically in those changes - but if it was I bet the chances of proving so in a court would be miniscule ...

IANAL however ...

Does the webmail platform not have access to the email platform, in order to retrieve emails to view via the webmail platform?.

Yes, but the replacement equipment to which he refers was for the mail storage platform.

Isn't the fact that the storage platform has stood up to the onslaught of spam which it has reliably delivered to our in-boxes (dammit!), proof that his assertion was correct?

Edit:

If you search the entire http://bbs.adslguide.org.uk/showthreaded.php?Cat=&Board=plusnet&Number=2955315 topic there is not a single reference to webmail.

Edited by jelv (Thu 17-May-07 16:12:40)

"The committee"

I love that.... lol

Regardless of platform its still an example of under investment in crucial areas.

The reason I bring it up is because I was one of several people citing lack of bandwidth issues were a result of purposefully underinvesting in the network in order to make the business look artificially profitable, in order to cream as much from any pottential sale; which in order lined the major shareholders pockets more favourably come selling time....

Pretty serious allegations to make at the time I was told - yet now we have Mr Armstrong actually citing previous under investment as a contributory factor to this latest disaster.

It appears that capacity was not the only part of the network suffering from under investment in order to line several of the management up with larger rewards for the sale of the company.

In reply to:

---

I wonder if Mr Webb will be making an appearance on the board soon.

---

I know for a fact (and I'm sure you can appreciate) that Phil has some other priorities right now, but I've no doubt he will be around once things have settled down.

In reply to:

---

From what I've been reading, Plusnet haven't given out any details. The details were obtained illegally. Now while one can't condone breaches in security, I've amazed that no one has even bothered to have a go at the perps of this crime. A bit like blaming the bank for an armed robbery.

---

It may be the robber who stole from the bank, but it was the bank that left the door open. In this case, Plusnet left the door open in some way, shape fashion or form. They choose the software, they choose how much they monitor and audit access to it and they're also presumably responsible that even people who've long since left plusnet still have details stored (when surey they should have been removed).

It's plusnet's responsibility at the end of the day, and the buck stops with them.

I have just managed to log into my old plusnet account and see that my email address and payment details are still there. I left Plusnet 21/09/05 or thereabouts.

http://www.skyuser.co.uk/images/plusnet.gif

That is a blatant disregard for DPA principles

Did you downgrade to a free dial-up account? If so then the fact that your details are retained by PlusNet is what I would expect.

I left Plusnet because of the Terms and Conditions that they imposed and because of the Wadev 4 on principle. Therefore I should have no access.

1) Even so, after 90 days of inactivity, they should have closed it down.

2) As a PAYG account, why would they need my payment details?

3) That is complete tosh, clearly a breech of the DATA Protection ACT, which I will address tomorrow.

At the time of the terms and conditions change, you were not allowed a PAYG account as you did not agree to their Terms and Conditions.

totally agree. if your payment details are still on the system, even if your are now pay as you go - its a blatent breach of the DPA as these details are not required for your PAYG service.

I do not think it will be a breach of the DPA as moving to PAYG means that people are still customers in PNs eyes and hence they have the option for adding additional paid for services and for this they would need payment details.

In the case where a user closes their PAYG account then I think that would be different as you are now stating that you no longer want to be a customer.

But I guess it would take someone from the ICO to clarify exactly what circumstances allow them to hold onto pesronal details.

> At the time of the terms and conditions change, you were not allowed a PAYG account as you did not agree to their Terms and Conditions.

That is correct as Plus.net say that you cannot pick and choose which parts of the T's and C's you wish to follow. It's basically all or nothing.

"That is complete tosh, clearly a breech of the DATA Protection ACT, which I will address tomorrow."

I just checked my old accounts and the card numbers are starred out. Does the appearance of card numbers mean that they still hold the original details?

TT

I would assume they are starred out just like your receipt when you go to Asda.

If they are redundant, then there is no need to keep the expiry date etc, or even the numbers that are not starred out.

I would like to see some confirmation or infact reason as to why these details are still there.

Do you have any referrals as I believe they use Credit Card details to pay same?

"I would like to see some confirmation or infact reason as to why these details are still there."

Looking at the options available in the portal it's a good bet they're still there. One way to check would be to buy anti-virus on your PAYG account.

Looking at the payment details there should be an option to delete payment sources and there is nothing. Other portals I use all have that option for payment sources. How does this apply to accounts with online retailers? They hold your payment details until the card has expired.

Both my accounts have been inactive for 16 months now and I've never dialed in to use them, but I do use fetchmail (yes, I'm using the latest version) to pull any mail from them. I'd have deleted the accounts if I wasn't getting any revenue from them.

TT

Nope.

My account should not be there, full stop. I disagreed with the terms and conditions when they changed them ages ago.