brandonevans
04-01-2012, 08:02 PM
Just wondering, what's the protocol regarding an employee messing around with your hosted database on their servers? e.g. entering data into fields to see how the schema works etc...
View Full Version : Are hosting providers allowed to do this?
cbrunsdonza
04-01-2012, 08:38 PM
Name and shame
koffiejunkie
04-01-2012, 09:19 PM
Just wondering, what's the protocol regarding an employee messing around with your hosted database on their servers? e.g. entering data into fields to see how the schema works etc...
Generally a strict no-no, but it depends on the SLA and the context. I have done the above a few times in the last five years where the client didn't know how something worked but expected us to fix a problem of their making nevertheless. Then there are other cases, where it's perfectly OK. If you provide support for Plesk, for example, you will inevitably have to poke around in the 'psa' database because not everything you might need to do can be done either through the web interface or via the command-line tools.
But yeah, name and shame.
Generally a strict no-no, but it depends on the SLA and the context. I have done the above a few times in the last five years where the client didn't know how something worked but expected us to fix a problem of their making nevertheless. Then there are other cases, where it's perfectly OK. If you provide support for Plesk, for example, you will inevitably have to poke around in the 'psa' database because not everything you might need to do can be done either through the web interface or via the command-line tools.
But yeah, name and shame.
Tinuva
04-01-2012, 09:27 PM
Well if you asked for support and they needed to test something, I can see why. No need to name and shame in that case.
But other than that, I usually try not to touch client's data, unless they ask to restore from a previous backup. Thats about it, no manual entering of data.
I think the other case I have is, using their own website to enter data, but any person usually will be able to do that, so that should be fine.
But other than that, I usually try not to touch client's data, unless they ask to restore from a previous backup. Thats about it, no manual entering of data.
I think the other case I have is, using their own website to enter data, but any person usually will be able to do that, so that should be fine.
RSkeens
04-01-2012, 10:12 PM
In almost all instances that is not acceptable - did they inform you that they would be doing that or ask for your permission first?
brandonevans
05-01-2012, 12:10 PM
In almost all instances that is not acceptable - did they inform you that they would be doing that or ask for your permission first?
Not at all. Contacted the provider, and they acknowledged that it is a no-no. Apparently, the employee was intrigued by the database schema and was trying to figure out how it works by messing around with it and entering in random data.
Not at all. Contacted the provider, and they acknowledged that it is a no-no. Apparently, the employee was intrigued by the database schema and was trying to figure out how it works by messing around with it and entering in random data.
koffiejunkie
05-01-2012, 12:20 PM
Apparently, the employee was intrigued by the database schema and was trying to figure out how it works by messing around with it and entering in random data.
Yeah, that's not on. If I was that employee I would ask their permission to copy the schema and play with it somewhere else.
Yeah, that's not on. If I was that employee I would ask their permission to copy the schema and play with it somewhere else.
RSkeens
05-01-2012, 02:53 PM
Not at all. Contacted the provider, and they acknowledged that it is a no-no. Apparently, the employee was intrigued by the database schema and was trying to figure out how it works by messing around with it and entering in random data.
Just be sure your e - mail is not being read because their employee may be intrigued with those too :sick:
Just be sure your e - mail is not being read because their employee may be intrigued with those too :sick:
The_Librarian
05-01-2012, 03:04 PM
Not at all. Contacted the provider, and they acknowledged that it is a no-no. Apparently, the employee was intrigued by the database schema and was trying to figure out how it works by messing around with it and entering in random data.
That just is not on.
That just is not on.
shogun
05-01-2012, 03:07 PM
Not at all. Contacted the provider, and they acknowledged that it is a no-no. Apparently, the employee was intrigued by the database schema and was trying to figure out how it works by messing around with it and entering in random data.
That's enough info to make me immediately terminate my service with that provider and move on. Name and shame please. Glad i'm on a dedicated server now.
Totally not on.
That's enough info to make me immediately terminate my service with that provider and move on. Name and shame please. Glad i'm on a dedicated server now.
Totally not on.
ToxicBunny
05-01-2012, 03:19 PM
I would take my database and site to another provider and cancel my contract with that provider immediately....
That is beyond not acceptable.
Is this on a shared hosted solution or a dedicated hosted solution ?
That is beyond not acceptable.
Is this on a shared hosted solution or a dedicated hosted solution ?
brandonevans
06-01-2012, 08:20 AM
I would take my database and site to another provider and cancel my contract with that provider immediately....
That is beyond not acceptable.
Is this on a shared hosted solution or a dedicated hosted solution ?
It's a shared host solution. It was simply used as a basic dev server, however, I was considering moving the full environment onto their servers, now i'm quite weary, since there is sensitive client information stored on it.
Are their any legal actions I could take with regards to this?
The company is one of the large hosting providers in SA.
That is beyond not acceptable.
Is this on a shared hosted solution or a dedicated hosted solution ?
It's a shared host solution. It was simply used as a basic dev server, however, I was considering moving the full environment onto their servers, now i'm quite weary, since there is sensitive client information stored on it.
Are their any legal actions I could take with regards to this?
The company is one of the large hosting providers in SA.
shogun
06-01-2012, 08:25 AM
It's a shared host solution. It was simply used as a basic dev server, however, I was considering moving the full environment onto their servers, now i'm quite weary, since there is sensitive client information stored on it.
Are their any legal actions I could take with regards to this?
The company is one of the large hosting providers in SA.
I wouldn't bother with legal action. Just move your stuff elsewhere, and perhaps look at a dedicated server. You can get one with Hetzner Germany for example, for a few hundred a month.
I'm curious who the hosting provider is.
Are their any legal actions I could take with regards to this?
The company is one of the large hosting providers in SA.
I wouldn't bother with legal action. Just move your stuff elsewhere, and perhaps look at a dedicated server. You can get one with Hetzner Germany for example, for a few hundred a month.
I'm curious who the hosting provider is.
ToxicBunny
06-01-2012, 11:05 AM
If it was a basic dev server and you didn't have much or any sensitive client data on it..... Then I would just leave it at that...
I would terminate the dev server hosting you have with them.. and host your full environment at another hosting provider and preferrably on a dedicated box where YOU have control of the system...
I would terminate the dev server hosting you have with them.. and host your full environment at another hosting provider and preferrably on a dedicated box where YOU have control of the system...
Tinuva
06-01-2012, 11:28 AM
I hope you make use of encryption for security reasons. One can never trust client information to be safe when its un-encrypted, even if its a server in your own data-center, as long as the server is publicly accessible, there is a massive risk.
koffiejunkie
06-01-2012, 01:13 PM
You really shouldn't host "sensitive" information on a shared system. With a shared system there's too much that can go wrong that might allow someone else on that server to get to your information.
WPD
06-01-2012, 04:03 PM
Not on at all.
Time to switch hosting providers.
Time to switch hosting providers.
brandonevans
02-02-2012, 04:56 PM
Just an Update:
It was requested that I present who the provider was. I held back on saying because the provider is one of the larger hosting providers in South Africa, given this, I thought they would have a sense of business dignity and actually try to apologise for what had happened or at least acknowledge it. Unfortunately, due to their lack of accountability for this breach of contract, it has resulted in me having to warn you, that you should be wary of WebAfrica.
Just a short summary, basically an employee of this hosting company had edited my database schema, added tables and rows etc, inputed data, completely bypassing all databse security I had in place through using their Admin rights. The employee's name was even there, unshamelessly, as the person who made the updates.
After calling their help line, several times, and explaning the situation, I was put on hold, and eventually the phone was put down in my ear. I sent them several emails as well, to which they did not reply. However, they slowly started removing the tables and alterations they had made, after I had sent these emails. Inctitng that they had actually acknowledged their fault, but tried to remove evidence of it.
I honestly thought a company of that stature would have better business integrity.
My intent is not to insite any defamation, simply to make any other users aware that they should be wary that these things happen.
It was requested that I present who the provider was. I held back on saying because the provider is one of the larger hosting providers in South Africa, given this, I thought they would have a sense of business dignity and actually try to apologise for what had happened or at least acknowledge it. Unfortunately, due to their lack of accountability for this breach of contract, it has resulted in me having to warn you, that you should be wary of WebAfrica.
Just a short summary, basically an employee of this hosting company had edited my database schema, added tables and rows etc, inputed data, completely bypassing all databse security I had in place through using their Admin rights. The employee's name was even there, unshamelessly, as the person who made the updates.
After calling their help line, several times, and explaning the situation, I was put on hold, and eventually the phone was put down in my ear. I sent them several emails as well, to which they did not reply. However, they slowly started removing the tables and alterations they had made, after I had sent these emails. Inctitng that they had actually acknowledged their fault, but tried to remove evidence of it.
I honestly thought a company of that stature would have better business integrity.
My intent is not to insite any defamation, simply to make any other users aware that they should be wary that these things happen.
isp-insider
03-02-2012, 11:21 PM
wow, to think that any member of staff has access to make changes to your database, perhaps even copy it to his local machine for his own use.
I'm 99.99% certain that theres alot more that goes on behind the scenes that would make you say "wtf!"
I'm 99.99% certain that theres alot more that goes on behind the scenes that would make you say "wtf!"
koffiejunkie
03-02-2012, 11:59 PM
wow, to think that any member of staff has access to make changes to your database, perhaps even copy it to his local machine for his own use.
You say that as if it's an outrage. If you have any sort of managed hosting, weather it is a machine that you have root access on but that the hosting co is responsible for keeping up to date, or you're paying for an account on a shared box, the hosting provider has full access to each server because they need to in order to fulfil their obligations.
The only time when a hosting co does not have access to your stuff is where you're in a CoLo facility and you have a cage around your stuff (like ABSA has in IS).
At work I have access to the servers of a number of big companies that you will all have heard of. Full root access. Even via VPN from home. Why? Because it's my job to respond to incidents involving those servers when our clients are sleeping soundly or stuck in traffic or just generally minding their business. We manage their infrastructure. If a client phones up and says their site is running like treacle, and I find that it is something to do with the database, I will log in and check it out, and during the course of my work I might be privy to sensitive/private information of our client and their clients (which could mean any of you). It is expected and understood to be privileged access and should I abuse this access or violate our clients' privacy or confidentiality, I will get fired, and I may end up going to jail. So it ain't gonna happen.
WebAfrica clearly does not have this kind of relationship and understanding with either their customers or their employers. But that is why their entry hosting package is R19 and ours is closer to £600. You get what you pay for.
You say that as if it's an outrage. If you have any sort of managed hosting, weather it is a machine that you have root access on but that the hosting co is responsible for keeping up to date, or you're paying for an account on a shared box, the hosting provider has full access to each server because they need to in order to fulfil their obligations.
The only time when a hosting co does not have access to your stuff is where you're in a CoLo facility and you have a cage around your stuff (like ABSA has in IS).
At work I have access to the servers of a number of big companies that you will all have heard of. Full root access. Even via VPN from home. Why? Because it's my job to respond to incidents involving those servers when our clients are sleeping soundly or stuck in traffic or just generally minding their business. We manage their infrastructure. If a client phones up and says their site is running like treacle, and I find that it is something to do with the database, I will log in and check it out, and during the course of my work I might be privy to sensitive/private information of our client and their clients (which could mean any of you). It is expected and understood to be privileged access and should I abuse this access or violate our clients' privacy or confidentiality, I will get fired, and I may end up going to jail. So it ain't gonna happen.
WebAfrica clearly does not have this kind of relationship and understanding with either their customers or their employers. But that is why their entry hosting package is R19 and ours is closer to £600. You get what you pay for.
Tinuva
04-02-2012, 10:39 AM
koffiejunkie, well said and all, but that post of yours speak more about your own integrity than the company you work for.
Having a bad employee could happen to any company regardless of how hard they try to get the right person for the job. While some people have integrity and honesty, for every one of them you will find someone who will lie and trick their way into a job. I say this because I have now worked a little bit over 5 years in the ISP industry, and my eyes have opened as to what happen and how things work, and I believe you get more people that will hurt the company you work for, than you get people that actually want to be there and improve things or just do it right.
Reading this thread again made me realize, this is more about the person than the company, while the company still has a role to play in all of this, having the correct policy and procedures to keep things like that in line. But who knows, maybe that person really just wanted to poke around ect, I am surprised that he and the company are so honest about it.
Having a bad employee could happen to any company regardless of how hard they try to get the right person for the job. While some people have integrity and honesty, for every one of them you will find someone who will lie and trick their way into a job. I say this because I have now worked a little bit over 5 years in the ISP industry, and my eyes have opened as to what happen and how things work, and I believe you get more people that will hurt the company you work for, than you get people that actually want to be there and improve things or just do it right.
Reading this thread again made me realize, this is more about the person than the company, while the company still has a role to play in all of this, having the correct policy and procedures to keep things like that in line. But who knows, maybe that person really just wanted to poke around ect, I am surprised that he and the company are so honest about it.
koffiejunkie
04-02-2012, 11:59 AM
koffiejunkie, well said and all, but that post of yours speak more about your own integrity than the company you work for.
I guess that's safe to assume but it depends on the company. Our recruitment process is pretty brutal and we routine turn away technical wizards when there's even a subtle hint that they're not a 100% fit. We've had a handful of bad apples slip through, but they tend to get weeded out pretty quickly
I say this because I have now worked a little bit over 5 years in the ISP industry, and my eyes have opened as to what happen and how things work, and I believe you get more people that will hurt the company you work for, than you get people that actually want to be there and improve things or just do it right.
That's an interesting observation. I think the margins you work with has a big impact on the sort of work you end up doing and as a result of that, the kind of people you attract and are able to retain. Doing shared hosting support is bottom-feeder stuff. Extremely narrow scope, no depth, little skill required, little job satisfaction.
But who knows, maybe that person really just wanted to poke around ect, I am surprised that he and the company are so honest about it.
I'm not surprised they were honest about it. I think companies are starting to come around to the idea that being honest about mistakes they make and taking the heat is good for customer relations and reduces chances of getting sued further down. What I am surprised about is that they admitted what happen but didn't apologise and offer some form of compensation.
I guess that's safe to assume but it depends on the company. Our recruitment process is pretty brutal and we routine turn away technical wizards when there's even a subtle hint that they're not a 100% fit. We've had a handful of bad apples slip through, but they tend to get weeded out pretty quickly
I say this because I have now worked a little bit over 5 years in the ISP industry, and my eyes have opened as to what happen and how things work, and I believe you get more people that will hurt the company you work for, than you get people that actually want to be there and improve things or just do it right.
That's an interesting observation. I think the margins you work with has a big impact on the sort of work you end up doing and as a result of that, the kind of people you attract and are able to retain. Doing shared hosting support is bottom-feeder stuff. Extremely narrow scope, no depth, little skill required, little job satisfaction.
But who knows, maybe that person really just wanted to poke around ect, I am surprised that he and the company are so honest about it.
I'm not surprised they were honest about it. I think companies are starting to come around to the idea that being honest about mistakes they make and taking the heat is good for customer relations and reduces chances of getting sued further down. What I am surprised about is that they admitted what happen but didn't apologise and offer some form of compensation.
isp-insider
06-02-2012, 07:38 AM
Management at WebAfrica should have immediately come forward and firstly apologized for the inconveniences caused by this. If the evidence presented to them was in black and white, as it seems to be based on your explanation of events then it shouldnt have taken them too long to identify the person responsible. At this point some form of communication to you advising that the matter is being dealt with internally and they're willing to offer any assistance in regards to restoring your database.
Not too sure if this is a lack of interest on their part, or perhaps one of those moments where they've made the wrong call at addressing the issue and taking control of the situation.
Either way this leaves a made taste in ones mouth and definitely makes you think twice about using WebAfrica.
Not too sure if this is a lack of interest on their part, or perhaps one of those moments where they've made the wrong call at addressing the issue and taking control of the situation.
Either way this leaves a made taste in ones mouth and definitely makes you think twice about using WebAfrica.
WAJeff
06-02-2012, 09:26 AM
Hi guys,
This is definitely something that is completely unacceptable and have never, ever come across a case like this in my almost 5 years of working at Web Africa. As an ISP, we strive in keeping every single customers details and information private. Whether is be a customer with a couple tables listing colours or a massive corporate database containing sensitive info. Across the board, we have very strict privacy policies in place.
@brandonevansp: Please PM me with your client code and any other relevant info. Ticket ID's, call times and from what number you phoned us from. I'd like to have a look into this immediately for you.
This is definitely something that is completely unacceptable and have never, ever come across a case like this in my almost 5 years of working at Web Africa. As an ISP, we strive in keeping every single customers details and information private. Whether is be a customer with a couple tables listing colours or a massive corporate database containing sensitive info. Across the board, we have very strict privacy policies in place.
@brandonevansp: Please PM me with your client code and any other relevant info. Ticket ID's, call times and from what number you phoned us from. I'd like to have a look into this immediately for you.
isp-insider
06-02-2012, 01:56 PM
Across the board, we have very strict privacy policies in place.Considering the nature of this confidentiality breach and that this now in the public domain I would be interested in seeing a copy of these policies. What is WebAfrica doing to ensure that this doesnt happen again?
WAJeff
07-02-2012, 10:59 AM
Considering the nature of this confidentiality breach and that this now in the public domain I would be interested in seeing a copy of these policies. What is WebAfrica doing to ensure that this doesnt happen again?
http://www.webafrica.co.za/privacy/#Accesstopersonaldata
There are also internal policies in place and security procedures to ensure that we keep your data private. Unfortunately I can't share these on a public forum though.
@OP: Any news on that PM for me?
http://www.webafrica.co.za/privacy/#Accesstopersonaldata
There are also internal policies in place and security procedures to ensure that we keep your data private. Unfortunately I can't share these on a public forum though.
@OP: Any news on that PM for me?
isp-insider
07-02-2012, 04:03 PM
http://www.webafrica.co.za/privacy/#Accesstopersonaldata
There are also internal policies in place and security procedures to ensure that we keep your data private. Unfortunately I can't share these on a public forum though.
@OP: Any news on that PM for me?Thanks Jeff.
The link you sent me pertains to personal information which I, the client may have provided you upon signing up as a client and not information which I upload to your servers and entrust you to keep safe from third parties including your staff.
Access to personal data
11.
If you believe that your personal data which we may have is outdated or incorrect please ask us to correct– please use our contact page. Please provide us with all the information we need to make the correction.
12.
You can also request access to any relevant personal data held by the web site owner as laid out in the Promotion of Access to Information Act 2 of 2000 (“PROATIA”) and where such access is necessary for you to exercise and/or protect any of your rights. We think that it will probably be simpler for you to just send us an e-mail asking for the information you need.
There are also internal policies in place and security procedures to ensure that we keep your data private. Unfortunately I can't share these on a public forum though.
@OP: Any news on that PM for me?Thanks Jeff.
The link you sent me pertains to personal information which I, the client may have provided you upon signing up as a client and not information which I upload to your servers and entrust you to keep safe from third parties including your staff.
Access to personal data
11.
If you believe that your personal data which we may have is outdated or incorrect please ask us to correct– please use our contact page. Please provide us with all the information we need to make the correction.
12.
You can also request access to any relevant personal data held by the web site owner as laid out in the Promotion of Access to Information Act 2 of 2000 (“PROATIA”) and where such access is necessary for you to exercise and/or protect any of your rights. We think that it will probably be simpler for you to just send us an e-mail asking for the information you need.