[ISN] ISP pursued over chat blab

From: InfoSec News (isnat_private)
Date: Wed Sep 03 2003 - 02:23:46 PDT

  • Next message: InfoSec News: "[ISN] Surprising percentage of public fears cyberattacks"

    IT solutions company ITCTS has laid a complaint with the Privacy
    Commissioner against Iconz after one of the internet provider's former
    employees divulged ITCTS' login names and passwords on an open
    ITCTS director Daniel Kinross said he had to go to considerable
    lengths to ensure none of his customers was put at risk by the
    password breach.
    "None of our systems was compromised, but the potential to cause
    damage with that information was enormous."
    The administration passwords gave full access to ITCTS databases,
    accounts and internal and external networks, which meant the company
    had to change all its customers' internet and web accounts.
    Kinross sought compensation from Iconz for the time it took to make
    the changes, plus for loss of business during the changeover and for
    the stress involved, but was rebuffed by Iconz general manager Sean
    In a letter to Kinross, Weekes said: "Iconz sincerely regrets that the
    actions of [a former employee] have apparently caused you
    inconvenience and distress."
    But he also said Iconz was not responsible for its former employee's
    actions and that ITCTS should raise its concerns directly and seek
    redress from him.
    "Also, even if Iconz were responsible, our lawyers advise us that the
    terms of our contract with you will preclude you from successfully
    bringing the types of claims that you have raised in your letter."
    Kinross said that being a small company with just six staff, including
    contractors, he did not want get into a legal battle.
    "Ideally I'd like to see Iconz accountable for their actions. As a
    business we're out of pocket."
    Weekes said the former employee was not an employee of Iconz when the
    chatroom incident occurred, but admitted it slipped up in procedure
    when the employee left the company.
    "We have a responsibility. We failed to change our password at the
    time. That was overlooked."
    But Weekes said the terms and conditions of the Ezysurf contract with
    ITCTS limited Iconz's liability. He has also written to Privacy
    Commissioner Bruce Slane seeking guidance over the incident.
    "I don't condone what he's done. It was a disgusting abuse of trust.  
    He's no longer a customer of ours either."
    Weekes said he was happy to discuss the matter further but talks had
    broken down when Kinross threatened to go to the commissioner and the
    Kinross said he had no option but to act when Weekes failed to attend
    a meeting on the matter.
    Weekes said he had sent the former employee's supervisor to the
    meeting because he knew more about the subject.
    The password breach occurred in early July when an ITCTS contractor
    and subsequently Kinross had a conversation on internet relay chat
    with a person using the online name "nny_" .
    A transcript of the session shows taunting and bravado on both sides,
    leading to nny_ threatening to compromise ITCTS' network security.
    "I will seriously **** your net connection," nny_ said at one point.
    During the session he typed ITCTS' password, login names and Kinross'
    mobile and home phone number.
    The Herald was unable to contact the former employee.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 03 2003 - 06:20:45 PDT