Panorama to blame for PowerGen gaff?

IT consultant and trouble shooter John Chamberlain said he stumbled across files containing PowerGen customers' credit card details after watching a BBC Panorama programme on IT security.

Chamberlain's revelation prompted utility giant PowerGen to admit today that it had suffered a breach of internet security which resulted in a leak of bank and contact details of thousands of its customers. Click here to read earlier story.

"I don't go around trying to do this," Chamberlain said today. "The reason I did it on that day was because of a Panorama programme I had seen earlier in the week. I don't go around trying to get into sites, trying to see what I can find round the back of sites to see if they are protected or not. But maybe people should."

Chamberlain said that more people should play around with URLs. "I would recommend everyone does it - add things on, take things off. Have a look around the internet. It's there to be browsed."

PowerGen was contacted by Chamberlain on 7 July, the same day he had accessed the files containing the data. Chamberlain said he told them to check their website because he had been able to access the credit card details.

He said he did not change the data and did not demand any money. "The only money they sent me was £15 for changing my gas supplier to PowerGen online. I didn't ask PowerGen for any money."

Chamberlain then contacted a student he teaches. "[The student] used to work at PowerGen and I thought he could alert them because he knows their system ops, and that would get it secured pretty quickly. I looked at it from a professional point of view," said Chamberlain.

"I've been in the trade for 10 to 15 years now, but it would have taken a novice to do what I did," he added.

Dai Davis, head of the IT group at law firm Nabarro Nathanson, said Chamberlain's actions would undoubtedly be classed as a breach of the Computer Misuse Act. "He won't knowingly have changed data, but part of the criminal code prevents access," he said.

Davis also said that weak legislation means PowerGen is unlikely to be prosecuted under the Data Protection Act. "Companies cannot be prosecuted unless they have been formally warned, so I can guarantee that PowerGen won't be prosecuted," he said.