Telecom NZ Cancels 60,000 Passwords in Spam Attack, then Goes Duck Hunting with WMDs

Bazooka

Facebook, Microsoft, and Apple, oh my! The interwebs have been abuzz this week with the hacking of three of the bigger kids on the technology field; and while conspiracy theorists continue to push the Chinese military as the bully (they’d better be good hackers, ‘cause they run like girls), it seems like just another week at the ol’ IT school of hard knocks. Cyber attacks like the ones perpetrated on Apple are a bit of a ‘ho hum’ event. Big tech companies work hard to prepare for security breaches, using trained personnel and established policies to ensure that any threat is quickly mitigated, even if it means taking down an entire network during a security event. One would think the same applies to any tech company, certainly the ones which provide, as part of their service, access infrastructure to end users. But apparently, not all telecoms are created equally, certainly not the ones which show little imagination when choosing their names.

New Zealand has given the world much, not the least of which are kiwis and The Lord of the Rings movies. But delicious little fuzzy fruit and expansive mountainous scenery, while all nice and fine, are not newsworthy. One of New Zealand’s telecom providers, however, is. The telecom Telecom (no, that’s not a typo) must have had a date with the beach the day its creators got together to decide upon a name. Mental images come to mind, of executives decked out in water wings and snorkels; after fifteen minutes of disinterested debate, the new CEO shouts ‘oh, screw it! Let’s just get it over with and call ourselves Telecom! Beach on, bitches!” Thus goes the fantasy, but how Telecom recently dealt with a spam attack upon its network is not a fantasy, and it’s no joke.

On February 11, several media outlets in New Zealand reported that Telecom, one of the largest companies in New Zealand, admitted that its Yahoo XTra service had been hacked by overseas attackers. Identified as the “biggest attack of its kind to happen in New Zealand,” spam emails were sent to about 87,000 users, asking for personal details, including credit card numbers. According to 3News, “one user even received an email from a friend who died two years ago.”

According to Chris Quin at Telecom, “essentially a spammer…got into Yahoo [was] distributing a phishing email across a number of contacts in that customer base, and…that is distributing itself through the contact emails of people.” Most disturbing is that recipients didn’t even need to click the link in the email to be compromised. “Just getting the email gives hackers access to the recipient’s contacts, which means spam can then be sent to them as well, regardless of which email provider they’re with,” the 3News story reported. Security expert Martin Crocker pointed out that “If people have received an email and clicked on a link, their computer could be infected with malware, depending on the security of their machine when they clicked on that link.”

Now, it should be noted that Yahoo’s being beat up for this security breach, and Telecom is reviewing its agreement with the search engine provider.  But what’s most surprising in this story is the manner in which it played out, and the way in which Telecom has addressed the security breach. The spam attack, which was first identified on Saturday, February 9, was a week-long ordeal for Telecom’s customers, and only appears to have been rectified a week later, when Telecom began cancelling the passwords of XTra users on Saturday the 16th. 60,000 of them, in fact.

According to TVNZ.com, former New Zealand High Commissioner Ted Woodfield was one of those customers. “…Woodfield said he had tried to contact Telecom repeatedly after his Xtra email password was unexpectedly changed yesterday. “I sat on the phone for twenty minutes at a time in three separate sessions. The last one said there was an hour’s delay,” said Woodfield. Woodfield said he can now access his email but is left “frustrated” by his dealings with Telecom.”

Now, it would be fun to beat up on the company for being too lazy to pick a real name, but it’s more fun to focus on the painfully obvious. Telecom seems to have attacked this issue as if it was bringing a dirty bomb to a fist fight. The ham-handed way in which the problem was resolved, the inordinate time delay in rectifying the problem, and the customer service (or lack thereof), suggests a lesson from which other providers should take note. Hey, if Facebook can do it, then anyone can.

Leave a Reply