http://www.nzherald.co.nz/storydisplay.cfm?storyID=3521177&thesection=business&thesubsection=technology 02.09.2003 By CHRIS BARTON IT solutions company ITCTS has laid a complaint with the Privacy Commissioner against Iconz after one of the internet provider's former employees divulged ITCTS' login names and passwords on an open chatroom. ITCTS director Daniel Kinross said he had to go to considerable lengths to ensure none of his customers was put at risk by the password breach. "None of our systems was compromised, but the potential to cause damage with that information was enormous." The administration passwords gave full access to ITCTS databases, accounts and internal and external networks, which meant the company had to change all its customers' internet and web accounts. Kinross sought compensation from Iconz for the time it took to make the changes, plus for loss of business during the changeover and for the stress involved, but was rebuffed by Iconz general manager Sean Weekes. In a letter to Kinross, Weekes said: "Iconz sincerely regrets that the actions of [a former employee] have apparently caused you inconvenience and distress." But he also said Iconz was not responsible for its former employee's actions and that ITCTS should raise its concerns directly and seek redress from him. "Also, even if Iconz were responsible, our lawyers advise us that the terms of our contract with you will preclude you from successfully bringing the types of claims that you have raised in your letter." Kinross said that being a small company with just six staff, including contractors, he did not want get into a legal battle. "Ideally I'd like to see Iconz accountable for their actions. As a business we're out of pocket." Weekes said the former employee was not an employee of Iconz when the chatroom incident occurred, but admitted it slipped up in procedure when the employee left the company. "We have a responsibility. We failed to change our password at the time. That was overlooked." But Weekes said the terms and conditions of the Ezysurf contract with ITCTS limited Iconz's liability. He has also written to Privacy Commissioner Bruce Slane seeking guidance over the incident. "I don't condone what he's done. It was a disgusting abuse of trust. He's no longer a customer of ours either." Weekes said he was happy to discuss the matter further but talks had broken down when Kinross threatened to go to the commissioner and the press. Kinross said he had no option but to act when Weekes failed to attend a meeting on the matter. Weekes said he had sent the former employee's supervisor to the meeting because he knew more about the subject. The password breach occurred in early July when an ITCTS contractor and subsequently Kinross had a conversation on internet relay chat with a person using the online name "nny_" . A transcript of the session shows taunting and bravado on both sides, leading to nny_ threatening to compromise ITCTS' network security. "I will seriously **** your net connection," nny_ said at one point. During the session he typed ITCTS' password, login names and Kinross' mobile and home phone number. The Herald was unable to contact the former employee. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Sep 03 2003 - 06:20:45 PDT