Need assistance - ISP Client documents "publicly" available

K

Koning Lodewyk

Active Member
Joined
May 21, 2019
Messages
50
Reaction score
36
Location
Port Elizabeth
Hi Guys,

I need some advise, this is now the second time I have found an issue on my ISP`s Customer portal allowing me to get all the other clients Copy of ID, debit order mandates(including all banking info) and proof of residence documents.
Luckily its not as easy as typing a name in Google and the data is there, but the fact that I am not a web developer or in infosec makes me pretty worried and would make this a very easy data heist for the people who are into this kind of stuff.

Do I get the ISP to act and do some thorough investigations and actually lock down customer data (I have no idea how get the info to them except WhatsApp support) or do I use this info against them to possibly get away from them without paying the claw back fee and get a new ISP asap?

Any input would be appreciated!
 
Koning Lodewyk said:
Hi Guys,

I need some advise, this is now the second time I have found an issue on my ISP`s Customer portal allowing me to get all the other clients Copy of ID, debit order mandates(including all banking info) and proof of residence documents.
Luckily its not as easy as typing a name in Google and the data is there, but the fact that I am not a web developer or in infosec makes me pretty worried and would make this a very easy data heist for the people who are into this kind of stuff.

Do I get the ISP to act and do some thorough investigations and actually lock down customer data (I have no idea how get the info to them except WhatsApp support) or do I use this info against them to possibly get away from them without paying the claw back fee and get a new ISP asap?

Any input would be appreciated!
Click to expand...
The correct thing to do would be to inform the isp immediately. Definitely do not try to blackmail them.
 
Koning Lodewyk said:
Hi Guys,

I need some advise, this is now the second time I have found an issue on my ISP`s Customer portal allowing me to get all the other clients Copy of ID, debit order mandates(including all banking info) and proof of residence documents.
Luckily its not as easy as typing a name in Google and the data is there, but the fact that I am not a web developer or in infosec makes me pretty worried and would make this a very easy data heist for the people who are into this kind of stuff.

Do I get the ISP to act and do some thorough investigations and actually lock down customer data (I have no idea how get the info to them except WhatsApp support) or do I use this info against them to possibly get away from them without paying the claw back fee and get a new ISP asap?

Any input would be appreciated!
Click to expand...
Oh snap this web Africa? You must try to find a way to contact them you should try emailing ISPA and see if they can assist with this. Do not try the blackmail, you will come 2nd best and the law she's a very harsh in South Africa. The mere fact that you kiddingly suggest an act of using it against them is borderline at best.
 
Sinbad said:
The correct thing to do would be to inform the isp immediately. Definitely do not try to blackmail them.
Click to expand...
Blackmail is definitely not the aim here. If I want to leave them as a client because they can’t secure client data I just dont feel like having to pay a clawback is fair. Or should I just shutup, pay and leave after letting them know?
 
Last edited:
HartsockZA said:
Oh snap this web Africa? You must try to find a way to contact them you should try emailing ISPA and see if they can assist with this. Do not try the blackmail, you will come 2nd best and the law she's a very harsh in South Africa. The mere fact that you kiddingly suggest an act of using it against them is borderline at best.
Click to expand...
I think this is a great idea, their example states under the web form 'my right to privacy is being infringed by the publication of my credit card number'.

Seeing that it's an ISP, they control the hosting. It doesn't matter where it's hosted, ISPA will be able to request them to remove the info.

How To Lodge A Take-down With ISPA | ISPA

How to lodge a take-down with ISPA to remove unlawful online content and protect users and providers across South Africa.
ispa.org.za ispa.org.za

ISPA are the industry regulator so they should be the best option I think.
 
I Managed to get details for the MD of the ISP on LinkedIn and sent him the details. He has forwarded the details to the relevant teams. So now it is a waiting game to see how long it takes to get fixed.
 
I wanted to give them a fair chance to respond to issue first after the MD actually responded to my LinkedIn message, So Email was sent to MD who acknowledged receipt of mail and confirmed it was sent to relevant teams. If I submit to ISPA im sure it is gonna take them a week also before the request gets looked at? Would have though the the MD would ensure a fix same day or even take down the relevant web server but they apparently do not give a rats ass.
 
Koning Lodewyk said:
I wanted to give them a fair chance to respond to issue first after the MD actually responded to my LinkedIn message, So Email was sent to MD who acknowledged receipt of mail and confirmed it was sent to relevant teams. If I submit to ISPA im sure it is gonna take them a week also before the request gets looked at? Would have though the the MD would ensure a fix same day or even take down the relevant web server but they apparently do not give a rats ass.
Click to expand...
ISPA after lodge take 24/48 hours, you've had 5 days to lodge it. You sir/Madam/it are playing a foul game by being on here looking for "advice" you know what to do. You have been given it, if you really feel that you need to take it a step further I'd approach a lawyer and file a case. Then you can make your demands of release etc. No ISP apart from myself (also a small amount of ISP's) gives a rats ass about the end-user you're just another subscriber they can replace in a heartbeat.
 
HartsockZA said:
ISPA after lodge take 24/48 hours, you've had 5 days to lodge it. You sir/Madam/it are playing a foul game by being on here looking for "advice" you know what to do. You have been given it, if you really feel that you need to take it a step further I'd approach a lawyer and file a case. Then you can make your demands of release etc. No ISP apart from myself (also a small amount of ISP's) gives a rats ass about the end-user you're just another subscriber they can replace in a heartbeat.
Click to expand...
No need to become hostile. I have done and am busy with what has been suggested. The rest was just a follow up if for some reason anybody was interested. I know well nobody gives a damn about about a single client and I dont want any pity from the ISP but the issue is related to all clients even day 1 customers that I am sure some are not even clients anymore so I would have hoped the ISP takes note and gives a damn without the issue being escalated to regulatory bodies etc after they were notified first. If you still think i am playing the "foul game" I will refrain from giving any further updates.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X