6

I live in UK, some time ago I wanted to login to my electric company account to check the bill and such, and I had forgotten my password - long story short I got my account locked and had to call them. To my surprise after completing my security checking over the phone (name, address, birthday) they simply told me my password over the phone, which would imply that they have it not hashed in their database.

EDIT: The question that is referred to as duplicate does not ask nor provide for authority in UK that would be responsible to deal with such issues (I am assuming here that there is such authority, while in fact there might not be one).

Is there an authority to which I could report this in UK?

Matas Vaitkevicius
  • 1,325
  • 2
  • 9
  • 12
  • Hello and welcome to security.se. This isn't the place to ack for product (or vendor) recommendation. I invite you to read the site help section. – Stephane Jan 27 '16 at 10:04
  • 3
    Possible duplicate of [What to do about websites that store plain text passwords](http://security.stackexchange.com/questions/7118/what-to-do-about-websites-that-store-plain-text-passwords) – mti2935 Jan 27 '16 at 10:19
  • You can of course change your electric company, then invoke the data protection act to have your password erased from their servers. – Aron Jan 27 '16 at 10:47
  • 4
    @mti2935 - The UK element of this question makes it distinct from the other question – paj28 Jan 27 '16 at 11:04

1 Answers1

7

The Information Commissioner's Office is the relevant public body. You can report a concern online.

However, there is no explicit requirement to hash passwords. The Data Protection Act includes eight data protection principles; number is 7:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Whether password hashing is an "appropriate technical measure" is open to debate - an organisation can argue they have other controls. I expect the ICO would only take action if there was an actual breach.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • 2
    Bingo! https://ico.org.uk/concerns/handling/ there's a form to 'express concerns' on how information is being handled. Thanks. – Matas Vaitkevicius Jan 27 '16 at 11:06
  • @paj28 you beat me to it! Another thought might be http://www.ombudsman-services.org/what-are-you-complaining-about-os.html but the ICO should definitely be the first port of call. I'm not sure if the ombudsman would be interested but thought it worth a mention. – GreatSeaSpider Jan 27 '16 at 11:10
  • 1
    @paj28 I think it'd be beneficial to point in your answer to the form found by Matas! – Steve Dodier-Lazaro Jan 27 '16 at 13:28
  • @paj28 what I meant is the information is more easily missed in the comments than in your answer, and your answer can be read as implying that the ICO won't investigate or consider the concern that OP wants to report. In fact, even though it might not be acted upon because of a legal loophole, the mere fact of reporting a concern can help the ICO understand what kinds of issues people are facing. – Steve Dodier-Lazaro Jan 27 '16 at 16:11
  • @SteveDL - ok, you've persuaded me :) – paj28 Jan 27 '16 at 17:19