|reply to Upset |
Re: Other customers can see my infor
So annoying when Hughes locks the topic... Saw Madhatter somehow snuck a comment in there. When I tried it was locked.
Upset, Perhaps you could shed more light on the situation? Sara's last reply contradicts your statements in a number of ways:
- "Isolated instance". You mentioned that "They [tech support] keep telling us several customers have this issue".
- "Credit card information was not compromised" - You said "Our emails, address, credit card, past bills etc have been open for this other customer to see"
- "This was first brought up to our attention on January 15th" - vs "Hughes customers can view my private information for 3 months now"
- "identifying the root of the problem and implementing a complete fix took the couple of weeks" - vs it being strange that it got fixed one day after it was made public. May be coincidence but I doubt it knowing Hughes.
If you have any other information that Hughes may have told you but did not make public that would also be useful. I for one am not convinced that my info is secure.
Their previous statement about telling you to re-register make me think that they have just fixed the issue for your account but it may happen again to someone else.
The more information you can provide the better. Thanks for you help.
Okay. Great questions notech! Yes there does seem to be contradictions. I am waiting on confirmation from the person that saw my info...to make sure i understand his side....but...this is the info I received and how I understand it.
The other customer (call him concerned) emailed me on Jan 15 saying that he can see my account when they log on using their log on credentials. Concerned said he had contacted Hughes several times to get this fixed and they had not fixed the issue, so he notified Hughes (jan 15) that he was filing a complaint with the FBI if he did not get a call back from them by Saturday the 19th. In that same email he said he would send me pictures of what he could see. In that same email he said this had been going on since November. Hughes did not call him by that day.
I emailed Concerned back asking to see the pictures because we did not really believe this was true.
Concerned sent me pictures that CLEARLY showed our account information.
I let my husband take care of contacting Hughes to find out what was going on and honestly I am not exact about the date he did that. But most importantly.....hughes NEVER called us to let us know what was happening.
Okay the above info is how I got my dates of what length of time things happened.
Once I got involved with contacting Hughes....I was told by two different tier 4 tech guys that this problem was happening to several other customers too.
In regards to the amount of info Concerned could see....well log onto your customer care account on Hughes......that is what they could see of MY info. They had complete control over all aspects of my account. They could have done some serious damage to my email and account.
When Hughes said the problem was fixed and I should re register....I tried to and could not because the Hughes system was not recognizing my SAN and phone number together. I called them back and told them....they called 5 hours later and said to try again....later that night I tried again...same error....the next day they said try again....same error....then I got a call from a group of people and they asked me to try again while I was one the phone. THAT time they mentioned....make sure you put the beginning letters of your SAN in all caps. Well..........I had not been doing that. I now got re registered. But after I got registered they said.....well is everything fixed now? Can you surf the Internet. I reminded them I could surf before they 'fixed' everything. I told them that i don't know if it is fixed because i don't know if Concerned can still see my info. They told me that they 'decoupled' our account from Concerned's account. So everything is now fixed. But then in the next sentence they asked me for Concerned's name. How did they decouple my account when they did not know who's account it was coupled with in the first place? They proceeded to tell me that this was an isolated issue with only my account, which I do not think is true, but anyway.
Now the people on that call were VERY nice and helpful and respectful. I believe engineers and executives. I told them that my husband was going to ask me "what did you get for our troubles" (that is just how he is), so they gave me a credit of three months service.
|reply to notech |
said by notech:While I had Hughes service for many years I was never a Hughes customer, so a question to all of those who are: Are you able to see your OWN credit card info when you log in?
"Credit card information was not compromised" - You said "Our emails, address, credit card, past bills etc have been open for this other customer to see"
That is generally a no-no. Last 4 digits only would be max. If you can see it, they need to be told to reprogram their site. If you can't see it, likely nobody else could either even if two accounts became cross-wired.
Actually, beyond displaying it, the web server shouldn't even have access to the whole number. That should be one-way only, when you put in new information, transmitting to the database, but no way for the web server to read it back from the database in its entirety.
Author of hnFAP-Alert, PC-OPI and DSSatTool
dbirdman, I am on the old HN9000 and have a different support site. This site does not display any billing information beyond invoices that only say "paid with credit card". Gen4 customers have a different site. I totally agree on everything you say.
|reply to Upset |
Hey Upset, I was finally able to test the Gen4 customer care system. I looked at the information displayed and saw that the credit card info displayed the last 4 digits of the card. Can you confirm that was the same in the screenshots you received from "Concerned"? Like "wkell' said there is still a lot of personal info that is displayed that a scam artist could use but it does reduce the severity of the exposure.
Tried to test registration using lower case SAN but could not replicate the problem. When you were registering did you check the box next to "have customer ID' and provide it or did you just enter your phone number and SAN? Did you use a Hughes email to register or another service such as Yahoo?
These test were using accounts that were already registered successfully so will not replicate a first time registration.
Also tried providing valid/invalid SAN with different valid/invalid phone numbers but got errors each time that stopped registration. Maybe Hughes has fixed the issue with lower case SAN.
Did you get any response from "Concered'?
Wish Hughes would provide more info so I don't have to spend time debugging this and we can rest easy. Still no replies on the community board over there.
I got confirmation from 'Concerned' that they can NO long see our info. Thank goodness!
Also, you are correct, only the last four digits on CC info was displayed.
No I did not check the box, have customer ID during my re registration, and I used my hughes.net email account.
Maybe they did get the upper case only for SAN number fixed. I don't know.....but it was crazy that no one pointed that out to me the FIRST time I got the error. Should they all be well versed in knowing that is a common issue.
Thank you and have a blessed day!