How a customer service call left me accidentally able to hack thousands of HTC customer records!

Usually when you have a customer service experience with a multinational company you can struggle to get much information out of them at all. With this one I ended up getting access to thousands of customer records….

 

The background


So the GPS on my HTC desire starts playing up and starts giving me directions like a drunk guiding traffic at an intersection. After trying factory resets etc.. HTC kindly offer to take the phone back and repair it. A few weeks later it gets returned to me with a note saying it has been fixed. They forgot however to return the battery.

This is when it starts to take a turn for the weird….

 

Millions of records available online?


At the bottom of the packing note is a URL with a customer ID on it. Being vaguely internet savvy I decide to put the URL into my browser to see whether I could get any more details on why my battery wasn’t included. Low and behold my details pop up on the screen. Details include my name, address, phone serial number and phone IMEI number. No need for a password or anything.

I thought surely this information isn’t available on a public URL? So I changed the customer ID in the URL and up pop the names, addresses, phone serial and IMEI numbers of other HTC customers.¬†From the number of digits in the customer URL it would suggest that 25 million records are available online! I try about 50 other random URLs and loads contain personal information of HTC customers.

I speak to some technical people I know and they say that with this personal information people have previously cloned phones and run up phone bills on other people’s accounts.

I tell HTC who within a day or so secure the website which is provided by one of their third party contractors.

This was all well and good but by outsourcing customer services to a third party company surely you cannot outsource the responsibility? You need to carry out security audits of these companies as if their systems and staff are your own. You cannot just take the company’s word for the fact they are compliant?

My “privates were exposed to the world” and I wasn’t happy about it. I am just glad they didn’t get into the wrong hands!

What are your thoughts? Do you think large multinationals should be able to outsource your customer data to third party companies? Should there be automatic fines if data is exposed even if no harm was done?

One Response to “How a customer service call left me accidentally able to hack thousands of HTC customer records!”