Broadband security breach customer information

18 October 2006

Anders Hellström

In early September, Swedish broadband provider Bredbandsbolaget carried out an advertising campaign in connection with its merger with Telenor, an international telecom company. The campaign consisted of pamphlets sent out by mail to a large number of Bredbandsbolaget's customers, containing various offers for them to take part in a celebration of the merger. To facilitate the recipients' use of the offers, Bredbandsbolaget also printed each customer's individual username and password in the advertisements, which were folded and sealed with glue.

However, as it turned out, the folding and the glue did little to conceal the information contained in the advertisements. Bending the paper a little, without ever breaking the seal, was enough to display the usernames and passwords. This in effect gave access to the customers' accounts where the settings for emails, storage and customers' web pages are available.

Initially, Bredbandsbolaget claimed that the information printed was only the customers' original passwords, issued by the company, and that there was no security risk for anyone who had changed to another password. This however turned out to be wrong, as was found out when numerous customers contacted the company and complained that their personal passwords had been printed in the advertisement. Furthermore, the design of the campaign ad was such that people could mistake it for a regular advertisement and just throw it away, with the risk of someone else getting hold of the information.

Bredbandsbolaget has issued statements apologising for the incident and it accepts that its security procedures are insufficient. In connection with this problem, it was also discovered that the password information stored in Bredbandsbolaget's servers was not encrypted, a problem which the company is now working to rectify. Bredbandsbolagets efforts to help its customers change their compromised passwords were met with further suspicion, since the now wary customers thought it might be an unsolicited third party attempt at obtaining their passwords through "phishing".

The aftermath of the incident is as of yet unknown, but according to the Swedish National Post and Telecom Agency (the PTS) the company is in breach of chapter 6 sections 3 and 20 of the Electronic Communications Act, which takes precedent over the Personal Data Act where these issues are concerned. Section 3 of the Act is an implementation of section 4(1) of the directive on privacy and electronic communications (2002/58/EC). The sections mentioned contain rules regarding the level of security which a service provider must uphold in order to provide sufficient protection for personal data and for the handling of such data. The PTS has also received multiple formal complaints and therefore initiated an investigation into the issue. Should Bredbandsbolaget not change its procedures for handling personal data in accordance with the authority's instructions before 9 October 2006, it may be ordered to do so by the PTS.

Computer Sweden, 2006-09-05,06 and 11, Närlingsliv24 2006-09-06 and the Post and Telecom Agency notice of 2006-09-07.