My name is Francis Comerford, as some of you may already know I am the owner of Cpanel Ireland we provide Web Hosting, Online Security advice, Website development and much more, I am a new start up business but have been managing hosting accounts ,Servers and creating websites for the past 20 years or more.
Yesterday I discovered a major security hole with Eir's phone system, As it turned out it was possible to retrieve any Eir customers balance on their account, I found this out by accident as I was trying to contact Eir to move my account to them, but could not find a landline number to ring so from my own Eir mobile I dialled 1901.
The system would not let me continue without an account number or a valid phone number so just to get through to someone I entered my Fathers landline number with the hopes of getting through to someone.
While going through the steps on the phone I selected the options available to me to pay my bill thinking I could then get through to someone and get put through to the correct department, but to my surprise the system actually told me my own fathers balance on his account.
After this shock I then decided to investigate this problem that I had found, I went to Eir's online phone book and tested this out on many phone numbers there, businesses and private customers, to my surprise I could get the balance on every Valid Eir account that I came across including one Fianna Fáil TD Thomas Byrne (Constituency:Meath East), I have contacted his office with thier balance on thier Eir account and they have told me that he will be informed as soon as he is out of his meetings.
Considering the recent GDPR (General Data Protection Regulation) which went into effect on the 25th of May I simply could not believe that anyone could access financial data on any Eir account.
Apart from the fact that nobody would like the that someone could find out if they owe money to Eir this information could be used by Scammers in a Confidence call which a Scammer could ring one of these Eir customers and with the information obtained from Eir’s leaked financial data could then convince the customer that they are indeed talking to a member of the Eir team and could be convinced to hand over credit card information.
I have Contacted Eir about the information collected during the course of my investigation, and Eir have assured me that the security hole in their Phone system will be fixed not before the agent actually tried to say that I was in breach of data protection laws?.
I also asked to speak to their data protection officer, I was told first they had none and then I was given an email address to send the information too , I informed the agent that I was not going to send an email as the problem with their phone system is current and requires immediate attention, The agent said on the phone call that he would be passing this information on to his supervisor. I have also informed them that I would be posting this information online as people have the right to know that their financial data is viewable to anyone.
For the moment I have held on to the data that I have obtained as proof off the breach and to protect myself. None of the information that I have collected has been released by myself to the public domain put as in form the date and time of this post this information can still be found.
Tuesday, June 19, 2018