Easynet alerts police to security firm's "breach"

Internet service provider Easynet has filed a complaint to Scotland Yard's Computer Crime Unit against a small firm of...

Internet service provider Easynet has filed a complaint to Scotland Yard's Computer Crime Unit against a small firm of consultants after it blew the whistle on serious security weaknesses in servers on the provider's network.

Easynet has confirmed that it has sent a file of evidence about the activities of security consultancy DDPlus to the police, after the consulting firm uncovered security problems on servers belonging to Easynet and its customers.

Computer Weekly revealed last month that Web sites belonging to hundreds of Easynet customers may have been placed at risk by server configuration errors which had left sensitive information, including user names, on Web servers accessible from the Internet.

In a statement to Computer Weekly, the Internet service provider said it had contacted detectives at the Computer Crime Unit following concerns that DDPlus' activities may have breached the Computer Misuse Act.

"Easynet takes any attempt to breach the security of its networks extremely seriously. And to this end we have passed evidence to the police concerning DDPlus. It is therefore inappropriate for us to comment further," it said.

The complaint came after DDPlus, acting on its own initiative, handed Easynet a dossier of computer files and a written explanation showing how the firm had been able to exploit security weaknesses on servers on Easynet's network in an attempt to help the ISP to fix the problems.

The files show that DDPlus was able to view confidential files, including databases of passwords and user names of 1,700 current and former Easynet Web clients and of other leased-line customers.

"We think Easynet is making a mistake. We are trying to help them. Since we have not done any damage to Easynet's servers, clients, network or data, we feel that Easynet should be thanking us instead of accusing us," said DDPlus managing director Dinis Cruz.

In an exchange of e-mails with DDPlus, Easynet's business development director, Justin Fielder, claimed that the Easynet servers accessed by DDPlus were old and about to be de-commissioned. "The machines being taken out of service were only vulnerable as they were removed from our patching and lockdown schedule prior to being turned off but unfortunately the full de-commissioning process was interrupted," said Fielder.

Easynet also claimed that the files viewed by DDPlus were old and have "little relationship to current operations".

DDPlus has since e-mailed the firm evidence it found that user names and passwords of Easynet customers contained in the files are still in use.

Easynet said it was unable to comment further on its complaint. Scotland Yard confirmed that it received the complaint last week.

Read more on IT risk management