PowerGen stems flow to bloody nose
Top exec with brains turns up just in time
It was a massive cock-up and everyone knew it. Leaving customer credit card details and addresses outside the firewall, accessible to anyone with an Internet connection, was ineptitude of the highest order.
It was bad enough shooting itself in the foot once, but then PowerGen proceeded to empty the entire clip into the mangled remnants. No, it wouldn't contact the other people whose privacy had been compromised. Even if it had no intention of contacting them for god's sake tell everyone that you will. And so the security disaster was brought to the press' attention.
Asked about the situation by journalists, PowerGen then denied any such thing has occurred. BANG! Faced with proof, it concedes. BANG! It then accuses the man who discovered the hole and brought it to their attention of being a hacker. BANG! BANG! BANG!
And while it continues firing, the IT and national press stroll up and punch it on the nose, drawing blood first time. The company's top execs must have panicked when they realised how out of control the story had gotten. You can be sure that PowerGen's press spokesman is getting a right royal bollocking today.
But then in steps PowerGen's Retail Managing Director, Mike Wagner - a man with a brain and a hanky to hold to its bloody nose. First of all, be serious and apologise, then say you have some experts on the case who are working out how this could possibly happen (they will produce a report and this will never occur again). Then point out that it has been blown out of all proportion and the truth is far less exciting. Say you have involved the police. Say you are grateful to the man that discovered the hole (and subsequently ruined your week). And finally reiterate your commitment to the Web.
Mikey boy did all this and then kicked in with a sweetener - all those customers affected would be contacted individually and £50 given to those that choose to cancel their credit card. Not much considering the hassle, but at least it looks like concern. 8/10 Mike.
But despite all this, we are still amazed that big companies clearly still haven't sorted out their IT problems. PowerGen isn't the first and sadly it's not going to be the last.
We've put the PowerGen response from Mike Wagner below for you to peruse.
"We take security of customer information extremely seriously and I am sorry that this has happened and that customers may have been inconvenienced.
"The web site was immediately closed down and our systems experts confirmed that this was a one-off incident. Initial investigations showed that the information which had been accessed was in a file which due to a technical error was temporarily outside of the security gate of the system. This was immediately corrected and new procedures introduced to eliminate the possibility of it happening again. There was no breach of the security of our main customer database.
"We are directly contacting customers who pay accounts via the Internet and will assure them that the problem has been corrected. We have also set up a free phone customer information hotline and urge any of our customers who are concerned to contact this number (0800 0157755). As an additional security measure we are advising customers to change their card numbers and will offer compensation for the inconvenience. Meanwhile the online transaction site remains closed.
"We are now embarking on a wider reaching review of systems security in conjunction with external expert consultants and will be in further contact with John Chamberlain to assist us with this review. We plan to publish the results of the external consultants' audit on our web site.
"This has clearly raised some more general concerns about payment over the Internet. I will be asking banks, other financial services organisations and companies engaging in transactions over the web to discuss these wider issues with us. However, we remain committed to the Internet as customers increasingly find it a convenient way of doing business with us." ®
Sponsored: Network DDoS protection