Is it too late to plug the PowerGen leak?

John Chamberlain says he is not a hacker. He doesn't belong to the murky underground of long-haired coding geeks who steal information, deface websites, spread viruses and cost businesses millions of dollars a year worldwide.

He's just a regular guy who stumbled across a security hole in the website of utility company PowerGen - and, in doing so, compounded public fears that ecommerce is perilously unsafe.

News of Chamberlain's vigilante action emerged a couple of weeks ago, nearly a month after he accessed 7000 customers' credit card details on PowerGen's website by doing nothing more than playing around with the URL.

While paying his bill online, he was able to access the file directory listing, which contained unprotected and unencrypted customer account details.

Sandra Baccari Edler, research analyst at IDC, says the whole debacle is further evidence that most companies are still not taking ecommerce security seriously, despite handling extremely sensitive customer information.

"Companies tend to have the approach that if they have a firewall and this stops a hacker getting in, they are safe," she explains. "But it's not just about software, and it's important that companies sit back and look at an holistic security policy which moves away from the barricade mentality."

How the hole was discovered
Chamberlain originally located the list of files on the PowerGen web server on 7 July. As a freelance IT troubleshooter for more than 10 years, he contacted the company immediately. The utility noted his complaint, but refused to let affected customers know about the problem.

Chamberlain decided to take matters into his own hands, and took the whole sorry tale to an online IT news service. When confronted by journalists, PowerGen compounded its earlier inactivity by denying the existence of any evidence to substantiate Chamberlain's claims.

Using this 'non-existent' evidence, the journalists started phoning affected customers and reading their credit card numbers back to them. PowerGen blundered again by reporting Chamberlain to the police for hacking.

While Chamberlain denied the allegations, he admitted that his decision to play around with the URL was inspired by the BBC's Panorama programme on hackers, which was broadcast on 3 July. "I don't go around trying to get into sites, trying to see what I can find round the back of sites or see if they are protected or not," he said. "But maybe people should."

Whatever his motives, Chamberlain's actions revealed that PowerGen was laying itself wide open to malicious breaches. The company has not released specific information on the defects that enabled people to access the credit card information, but security consultants are speculating on what safeguards should have been in place.

"The information should have been secured on an isolated database server, protected by multi-level firewall access, and encrypted," says Richard Walters, European product manager of systems security at network safety consultant Integralis.

"Encrypting the connection between the browser and the web server is not adequate, and gives users the impression that the data they submit is also secured."

An 'isolated flaw'
According to Mike Wager, PowerGen's retail managing director, the hole found by Chamberlain was an isolated flaw. "Initial investigations showed that the information which had been accessed was in a file which, due to a technical error, was temporarily outside the security gate of the system," he said.

"This was immediately corrected and new procedures introduced to eliminate the possibility of it happening again. There was no breach of the security of our main customer database."

The Office of the Data Protection Registrar has admitted that the utility cannot be prosecuted for not safeguarding its customers' information. The law only requires that PowerGen provide reassurance that the problem has been identified and fixed (see below).

PowerGen eventually dropped the hacking allegations against Chamberlain and, in a spectacular act of backtracking, has even asked for his advice on tightening up site security.

The utility has committed itself to paying out £50 to each customer affected by the breach. But it remains to be seen whether this will be enough to counteract the negative implications, both for PowerGen's future and confidence in ecommerce generally.

"When a company experiences a virtual security breach that customers are aware of, it loses their trust, which diminishes the value of its brand name - something that is extremely difficult to regain," warns IDC's Edler. "The long-term success of ebusinesses will be highly dependent on the ability to provide a truly secure environment in which customers and partners can conduct business."

Can PowerGen be prosecuted for the breach?

"If an organisation accepts there has been a breach and identifies the problem, then we would just seek formal assurances of procedures to ensure it does not arise again," says a spokesman for the Data Protection Registrar. "In PowerGen's case, the bad publicity it has had should be a salutary lesson to it and other companies about the need for effective security."

Securing customer information online must be complied with under the seventh principle of the Data Protection Act. Companies must ensure they have appropriate security measures in place to ensure the confidentiality and protection of their data.

Fortunately for PowerGen, however, breaching a principle does not automatically lead to prosecution. Only a breach of the criminal code, which does not apply to the security issue, can result in a trial.