Sky TV CEO John Fellet’s online help system account has been defaced after users discovered the system was insecure and potentially leaking personal information.
The help system used by the broadcaster lacks account authentication by password, allowing access from the internet simply by guessing the email address of a registered user.
When Sky TV customer Ben Gracewood wanted to request to be unsubscribed from daily programme listings emailed to him, he discovered that he couldn’t log onto the satellite TV operator’s main site.
Gracewood then posted a support query about his problems on Sky TV’s online help site, and later, went back to check if he had received a response.
However, Gracewood had forgotten which email address he used for the online help system and couldn’t retrieve it. He twittered about his frustration, as he couldn’t log in.
“Next, someone on Twitter told me they were able to log into the site, using my personal email address, with no password required. That made me really upset,” Gracewood says.
He contacted Sky TV about what he calls “a clear security breach”, but says he hasn’t heard back from them. Astounded at the lack of protection for the online help system, Gracewood discovered that he was able to log in using email addresses belonging to Sky TV employees, which are easily found through Google
Computerworld verified that once you have the email address of a user registered on the website, it’s possible to log in with just that and no password. By logging in with an email address belonging to Sky TV’s web development manager, it was also possible to view customer queries.
Some of these queries contained the customer’s name, email, phone and account numbers and in one case, the home address.
What’s more, it was possible to edit and change the details in the customers’ accounts, such as names and email addresses.
Sky TV employees’ accounts on the online help system include one belonging to CEO John Fellet, which has been defaced, as it was editable by anyone.
“It’s complete madness,” Gracewood says, “to have a giant hole like that in Sky TV’s help website’s security.”
Sky TV spokesman Tony O’Brien says the web-based Customer Relationship Management system his company uses is provided by RightNow Technologies in Bozeman, Montana. The system is used to answer customer queries either via the site itself or directly via email. Other users of RightNow include Air NewZealand, Telecom and NZ Immigration O’Brien says.
Brett Waters, Asia Pacific South VP of RightNow, says the system has a high degree of configurability. It appears in this case the requirement for a password was turned off.
O’Brien says Sky TV’s web development team is adding security urgently, including password protecting accounts.
Privacy Commissioner Marie Shroff says good privacy is good business.
“People wouldn’t generally expect their contact details to be easily accessible to third parties from a company’s online queries system.”
Shroff says having to enter an email address isn’t sufficient protection. She says a password is a minimum security measure to prevent unauthorised access.