Genie rubs users up the wrong way

NEWS The security gaffe occurred during a two-hour window on Tuesday night when subscribers to the Genie service were given direct access to confidential phone number lists on other people's accounts. Andrew Hughes, a silicon.com user who uncovered the breach by accident, was angry that Genie was taking such a laidback attitude to the breach, and claimed his details could be raided and then sold. "I have had no response from Genie after telling them I had gained access to other peoples confidential data. If I can do it without even trying then other people must be able to access to my account," he told silicon.com. Hughes said that exposing confidential data on the internet could lead to a deluge of unwanted spam text messages to his and others' mobile devices. Neil Hare-Brown, director of QCC Information Security, agreed. "Using a small amount of data and a small amount of social engineering it would be totally possibly to sell the information, for example to another WAP site," he said. A spokesman for the Data Protection Commission said that in compromising users' data, Genie may also have broken the 7th Data Protection Act principle, which states that appropriate technical measures should be taken against the processing of personal data against accidental loss, destruction or damage. He said: "It's a major security issue, giving people that type of information, although it's not 'sensitive' data as such, this is irrelevant really. Personal information like this shouldn't be available to anyone except the user and the company they're dealing with." Laurence Alexander, MD of Genie, admitted the security glitch lasted for around two hours and happened during a performance fix for part of the site. He added: "Security is of the upmost importance, which is why we have a security team here dedicated to it."