Powergen scandal: lessons to be learned

If you listen to security experts - and we've been listening to a lot of them in the last two days - they'll tell you that the Powergen security breach was completely preventable. And that it's bound to happen again (http://www.silicon.com/a38693 ).

"The news here is that this is not as much of an exception as you might think," said Douglas Hurd, a business development manager at Network Associates (NAI). "The inability to detect vulnerability is pretty routine."

"Eighty per cent of companies have never had a security test done on their website," agreed Deri Jones, of internet security firm NTA Monitor.

Security has always been a stumbling block in convincing consumers to engage in ecommerce, so a general lack of commitment to security is an incredible own-goal by industry.

Placating statements about security seem like hollow promises once a breach has been exposed.

"At Powergen, we take the security of our customers very seriously," the company said in a broadsheet advertisement yesterday. In fact, Powergen took data security so seriously that the company stored card and personal information - unencrypted - on a web server, failed to contact customers when informed of the security lapse, waited 12 days, threatened the informant with legal action, and finally told customers only after silicon.com published the whole sorry story.

"Ninety-nine per cent of this stuff - like stealing card details from a website - is preventable. There's technology from a number of different vendors to encrypt data or make it inaccessible," added NAI's Hurd. "I also wouldn't leave customer-sensitive data on the web server for any longer than needed. I would keep that data in a more secure place on the network."

Whether Powergen should have been storing the data at all is another question. Users must input their data into the Powergen site each time they want to pay a bill. Therefore, once the transaction has taken place, there's no reason for Powergen to continue to hold that information anywhere on its network.

silicon.com reader Andrew North noted that if bricks-and-mortar retailers can achieve real-time verification, there's no reason companies can't do the same online.

He wrote: "It would be perfectly feasible to have a website communicate with the credit card companies' computers for card verification. A person enters card information on their browser, it goes through the usual secure connection to the website and then the website connects to Visa, etc. for verification. No account information is stored on the website."

Security is about good practice and good management more than good IT. The shoddy security in place at Powergen seems to go far beyond a single technical incident, as the company claimed in its statement.

The company declined to comment further, but it still hasn't come clean on how this incident occurred and what security measures, if any, were in place at the time.

Let this be a wake-up call to industry - the cost of scandals like these isn't £50 per customer in compensation it's the loss of ecommerce as a whole if consumers simply refuse to participate.