In February, we reported that New Zealand based telecom Telecom (not a typo), beleaguered with a mass spam attack, canceled 60,000 of its customer passwords in an attempt at buttressing what was clearly a situation out of their control. And by out of control, we mean they weren’t capable of dealing with it. Left high and dry without so much as a ‘how do you do’ from the company’s tech support, thousands of users of the Yahoo! Xtra service tried to access their accounts without realizing that all those instances of ‘123456’ and ‘password’ had been changed surreptitiously. One of those surprised by the move was Telecom customer and New Zealand High Commissioner Ted Woodfield, who was quoted at the time by TVNZ.com as saying that he “sat on the phone for twenty minutes at a time in three separate sessions. The last one said there was an hour’s delay.”
Now, customer service mishandling and the shock and awe approach to IT disaster management aside, Telecom appears to have taken it on the chin, but everyone makes mistakes, right? Yahoo! also took a beating for the mess (although it should be noted that they weren’t the ones who cancelled 60,000 passwords), and after the incident, Telecom was purported to be reviewing their agreement with the search engine company. And so, like everything else in the lightning-fast modern world, everyone moved on and assumed this wouldn’t happen again. After all, one of the tenets of IT disaster management is lessons learned. You know, new systems and processes, mitigation, and so-on.
Well, just in time for the holidays, Telecom NZ is once again dealing with a massive spam attack on its users, and it appears that they’ve learned a little, but not a lot. This time, the attack hit on November 30, according to several media outlets. According to stuff.co.nz, 450,000 accounts had been moved to a new email platform, ostensibly after the February attack, but that didn’t stop “major problems over the weekend after many accounts were hijacked and used to send out spam emails containing links to malware-infected webpages.” Accounts had been moved, or were in the process of being moved, from Yahoo! Bespoke to their main email system. “Telecom retail chief executive Chris Quin said in April that he was confident that would make the service more reliable,” stuff.co.nz reports. “But both Telecom and Yahoo refused to say today whether the weekend’s attack had in fact been confined to customers on the old bespoke system.”
The response to this latest attack was to lock the accounts of affected customers, requiring them to change their passwords, and according to Radio New Zealand News, “Telecom is recommending its customers change their passwords to block unwanted emails,” although it appears that ‘recommending’ isn’t quite the correct word, because as was stated, the accounts have been locked and require a password change.
It’s Not New, Just Different
Now, none of this is terribly unusual, unless you consider that a) it’s happened again in such a short period of time and b) Telecom and Yahoo! haven’t really seemed to address the core problem. Massive attacks can lead to suggested or required password changes, as we saw earlier in the year with Adobe, and this week with Facebook and Twitter. Often, it’s the only way to be sure that users are kept safe.
But something about the way Telecom handled the attacks just…doesn’t feel right. The company seems to have been caught with its pants down in the Internet world, where you really need to wear both a belt and suspenders. In the February attack, the resulting and massive cancellation of passwords appeared to be very reactive, one might even say out of desperation. And it appears that little has been learned from that event in light of the most recent attack.
What’s most disconcerting, however, are the words of a spokesman from TUANZ, the Telecommunications Users Association of New Zealand.
It’s the Users’ Fault
Radio New Zealand reports that “TUANZ chief executive Paul Brislen said that’s all Telecom can do, and most of the blame sits with customers who didn’t act after the attack in February.”
Sure, blame the customers. After all, they’re the technology experts and it’s not like they’re paying someone else to protect their information.
When You’re Down, Just Give Up
Furthermore, “Mr Brislen said spam cannot be stopped and it’s vital customers change their passwords frequently.”
Huh? Spam cannot be stopped? Well, thank you very much, Mr. Brislen, for throwing in the towel when the rest of us have been fighting the good fight for years – and winning, we might add. And as for changing passwords frequently? Really?
Something isn’t quite right in New Zealand. Please weigh in on it.