Pipex clings on to former customer data

Ex-Pipexers discover banking details on new website

By Chris Williams • Get more from this author

Posted in Telecoms, 5th June 2007 15:07 GMT

See what The Register's experts have to say on application security

Pipex's new account management website has angered its former customers by revealing that the ISP has retained personal details, including banking information, for up to 11 months after they quit their contract.

Mypipex.net opened for business late last week, and users on ISP forum thinkbroadband.com quickly noticed that accounts which were inaccessible on the old site were available again. Some have raised their concerns with data protection watchdogs.

Poster "p3x595" wrote (thread here): "I migrated from Pipex about six months ago and I've just managed to login to the new MyPipex using my old username and password. I am appalled that this still works and that they still have my details - including my payment card - still on file."

Another forum user, "Rupes", responded: "Felt I had to try this out despite leaving Pipex last July! Logged straight in without problems, and even found some lost messages from friends in the webmail."

The Data Protection Act states that retaining data counts as processing, which must be justified. It follows, as the Act specifies, that personal information should be retained for no longer than is needed for the reason it was collected. The Information Commissioner has details of consumers' rights here.

Pipex, which currently has about 570,000 broadband customers, had not provided a comment on why it still retained the data at time of writing, but said it was looking into the issue. Its data protection policy is here, although it makes no specific mention of former customers.

The mypipex.net login page is here. ®

See what The Register's experts have to say on application security