Telecom sticks with YahooXtra - two of its harshest critics react

UPDATE: "Telecom was stuck between a rock and a hard place with this," Institute of IT Professionals NZ CEO Paul Matthews told NBR ONLINE.

After a review, Telecom says it will stick with Yahoo (which hosts its Xtra email service in Sydney) despite security problems and a widespread phishing attack in February.

Closing Xtra mail or moving to another provider would have had a majorly disruptive effect on their 400,000 Xtra email users and would be a last resort, the IITP boss notes.

"It's encouraging that Telecom is making changes to its configuration to allow for a more proactive response should a future event occur," Mr Matthews says.

Martin Cocker, head of the part government-funded NetSafe says Telecom is quite right to describes security breaches as being part of the reality of the online world.

"Given that fact, service providers should be ready to respond and assist customers when breaches occur," Mr Cocker says.

"Our criticism of Telecom focused on the delay to, and initial approach to, engagement with customers and stakeholders."

Therefore, NetSafe's interest is not so much in whether Telecom has chosen to stick with Yahoo or not, but whether it has improved its capability to respond to any future breaches, the NetSafe boss says.

"That is something that can not be proven until it is tested."

Mr Matthews strikes a similar note.

"One of the largest criticisms of the initial response was a lack of communication with customers about what was happening and the scale of it. Keeping their customers in the loop would have made a significant difference. Time will tell how this plays out of course."

ckeall@nbr.co.nz


EARLIER: Telecom has competed its review of the Xtra email service, hosted on its behalf by Yahoo in Sydney.

The review followed a security breach of Yahoo's email servers that saw "phishing" emails sent from some people's accounts, even if they had not even accessed their Xtra email account recently, let alone clicked on a dodgy link).

At the time the security breach was announced, on February 12, Telecom Retail CEO Chris Quin said all options were on the table; a clear hint Yahoo might be dropped.

Yahoo has promised to improved security.

It will also move Telecom to "Yahoo-standardised infrastructure, rather than the bespoke service they provide us with today. We believe this would offer a more robust and flexible platform, with greater redundancy than our current setup, improving the reliability of the service, and reducing the impact of any incident if something does go wrong,” Mr Quin said in a statement this morning.

Meantime, “In the short term, Telecom is working with Yahoo! to implement a much simpler process for alerting customers whose accounts have been compromised and helping them re-secure those accounts.  This will involve automatically directing customers to a webpage that advises them their accounts have been compromised and then steps them through changing their password, and making any necessary changes to their settings," Mr Quin says.

A key problem during the February was that tens of thousand of affected customers did not change their passwords. Telecom had to summarily cancel their existing passwords, then direct them to execute a reset via online or phone. At times Telecom's website was overloaded, and wait times for its call centres stretched to hours.

The mail server security breach, plus a subsequent upsurge in phishing emails, saw around 75,000 of Telecom's broadband customers affected.

Today, Mr Quin said research found customers rated Yahoo Xtra very highly, and favoured keeping the service.

The retail boss notes the service is optional. Around 400,000 choose to use it.

Telecom also asked whether it should offer a web mail service full-stop (the YahooXtra service is a legancy of the time Telecom owned a 49% stake in Yahoo's local subsidiary. It was sold in mid 2011).

Overwhelming, customers said it should, the company said in a statement (below).

There were two narratives on the February "customer impacts" as Telecom has termed them.

Telecom acknowledged there were two separate problems.

The company emphasised the upsurge in phishing email - or messages that encourage people to click on a malicious link. If they click on it, then people in their address book often also get sent phishing emails.

Experts like Institute of IT Professionals NZ CEO Paul Matthews and NetSafe head Martin Cocker emphased the fact there was a direct breach of YahooXtra mail servers, meaning historic emails, and address books, could have been downloaded for use in future attacks (Telecom and Yahoo admitted this was a possibility, but say there is no evidence it occured).

To underline the human error element, Telecom noted its own CEO, Simon Moutter, had foolishly clicked on a phishing link.

To highlight the Yahoo email server breach, NBR channeled Messrs Matthews and Cocker and noted a graphic example of the fact phishing emails weren't just sent from the accounts of people who clicked on rogue links: One NBR reader received an email sent from the account of Capital & Merchant Finance director Neal Nicholls, who has been in jail since August last year with no internet access.

Click to zoom:

7
Login in or Register to view & post comments