Are hosting providers allowed to do this?

B

brandonevans

New Member
Joined
Nov 24, 2011
Messages
7
Reaction score
0
Just wondering, what's the protocol regarding an employee messing around with your hosted database on their servers? e.g. entering data into fields to see how the schema works etc...
 
brandonevans said:
Just wondering, what's the protocol regarding an employee messing around with your hosted database on their servers? e.g. entering data into fields to see how the schema works etc...
Click to expand...

Generally a strict no-no, but it depends on the SLA and the context. I have done the above a few times in the last five years where the client didn't know how something worked but expected us to fix a problem of their making nevertheless. Then there are other cases, where it's perfectly OK. If you provide support for Plesk, for example, you will inevitably have to poke around in the 'psa' database because not everything you might need to do can be done either through the web interface or via the command-line tools.

But yeah, name and shame.
 
Well if you asked for support and they needed to test something, I can see why. No need to name and shame in that case.

But other than that, I usually try not to touch client's data, unless they ask to restore from a previous backup. Thats about it, no manual entering of data.

I think the other case I have is, using their own website to enter data, but any person usually will be able to do that, so that should be fine.
 
In almost all instances that is not acceptable - did they inform you that they would be doing that or ask for your permission first?
 
RSkeens said:
In almost all instances that is not acceptable - did they inform you that they would be doing that or ask for your permission first?
Click to expand...

Not at all. Contacted the provider, and they acknowledged that it is a no-no. Apparently, the employee was intrigued by the database schema and was trying to figure out how it works by messing around with it and entering in random data.
 
brandonevans said:
Apparently, the employee was intrigued by the database schema and was trying to figure out how it works by messing around with it and entering in random data.
Click to expand...

Yeah, that's not on. If I was that employee I would ask their permission to copy the schema and play with it somewhere else.
 
brandonevans said:
Not at all. Contacted the provider, and they acknowledged that it is a no-no. Apparently, the employee was intrigued by the database schema and was trying to figure out how it works by messing around with it and entering in random data.
Click to expand...

Just be sure your e - mail is not being read because their employee may be intrigued with those too :sick:
 
brandonevans said:
Not at all. Contacted the provider, and they acknowledged that it is a no-no. Apparently, the employee was intrigued by the database schema and was trying to figure out how it works by messing around with it and entering in random data.
Click to expand...

That just is not on.
 
brandonevans said:
Not at all. Contacted the provider, and they acknowledged that it is a no-no. Apparently, the employee was intrigued by the database schema and was trying to figure out how it works by messing around with it and entering in random data.
Click to expand...

That's enough info to make me immediately terminate my service with that provider and move on. Name and shame please. Glad i'm on a dedicated server now.

Totally not on.
 
I would take my database and site to another provider and cancel my contract with that provider immediately....

That is beyond not acceptable.

Is this on a shared hosted solution or a dedicated hosted solution ?
 
B.O.F.H. said:
I would take my database and site to another provider and cancel my contract with that provider immediately....

That is beyond not acceptable.

Is this on a shared hosted solution or a dedicated hosted solution ?
Click to expand...

It's a shared host solution. It was simply used as a basic dev server, however, I was considering moving the full environment onto their servers, now i'm quite weary, since there is sensitive client information stored on it.
Are their any legal actions I could take with regards to this?
The company is one of the large hosting providers in SA.
 
brandonevans said:
It's a shared host solution. It was simply used as a basic dev server, however, I was considering moving the full environment onto their servers, now i'm quite weary, since there is sensitive client information stored on it.
Are their any legal actions I could take with regards to this?
The company is one of the large hosting providers in SA.
Click to expand...

I wouldn't bother with legal action. Just move your stuff elsewhere, and perhaps look at a dedicated server. You can get one with Hetzner Germany for example, for a few hundred a month.

I'm curious who the hosting provider is.
 
If it was a basic dev server and you didn't have much or any sensitive client data on it..... Then I would just leave it at that...

I would terminate the dev server hosting you have with them.. and host your full environment at another hosting provider and preferrably on a dedicated box where YOU have control of the system...
 
I hope you make use of encryption for security reasons. One can never trust client information to be safe when its un-encrypted, even if its a server in your own data-center, as long as the server is publicly accessible, there is a massive risk.
 
You really shouldn't host "sensitive" information on a shared system. With a shared system there's too much that can go wrong that might allow someone else on that server to get to your information.
 
Just an Update:
It was requested that I present who the provider was. I held back on saying because the provider is one of the larger hosting providers in South Africa, given this, I thought they would have a sense of business dignity and actually try to apologise for what had happened or at least acknowledge it. Unfortunately, due to their lack of accountability for this breach of contract, it has resulted in me having to warn you, that you should be wary of WebAfrica.

Just a short summary, basically an employee of this hosting company had edited my database schema, added tables and rows etc, inputed data, completely bypassing all databse security I had in place through using their Admin rights. The employee's name was even there, unshamelessly, as the person who made the updates.
After calling their help line, several times, and explaning the situation, I was put on hold, and eventually the phone was put down in my ear. I sent them several emails as well, to which they did not reply. However, they slowly started removing the tables and alterations they had made, after I had sent these emails. Inctitng that they had actually acknowledged their fault, but tried to remove evidence of it.
I honestly thought a company of that stature would have better business integrity.
My intent is not to insite any defamation, simply to make any other users aware that they should be wary that these things happen.
 
wow, to think that any member of staff has access to make changes to your database, perhaps even copy it to his local machine for his own use.

I'm 99.99% certain that theres alot more that goes on behind the scenes that would make you say "wtf!"
 
isp-insider said:
wow, to think that any member of staff has access to make changes to your database, perhaps even copy it to his local machine for his own use.
Click to expand...

You say that as if it's an outrage. If you have any sort of managed hosting, weather it is a machine that you have root access on but that the hosting co is responsible for keeping up to date, or you're paying for an account on a shared box, the hosting provider has full access to each server because they need to in order to fulfil their obligations.

The only time when a hosting co does not have access to your stuff is where you're in a CoLo facility and you have a cage around your stuff (like ABSA has in IS).

At work I have access to the servers of a number of big companies that you will all have heard of. Full root access. Even via VPN from home. Why? Because it's my job to respond to incidents involving those servers when our clients are sleeping soundly or stuck in traffic or just generally minding their business. We manage their infrastructure. If a client phones up and says their site is running like treacle, and I find that it is something to do with the database, I will log in and check it out, and during the course of my work I might be privy to sensitive/private information of our client and their clients (which could mean any of you). It is expected and understood to be privileged access and should I abuse this access or violate our clients' privacy or confidentiality, I will get fired, and I may end up going to jail. So it ain't gonna happen.

WebAfrica clearly does not have this kind of relationship and understanding with either their customers or their employers. But that is why their entry hosting package is R19 and ours is closer to £600. You get what you pay for.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X