Jimmy Green Website - Re-registration required - security issue?

[Tomaret]

I’ve just responded to an email from Jimmy Green telling me that I have to re-register with their new website as part of their response to new data protection legislation. I was surprised to receive an automated response that showed, in plain type both my email address and the password I have chosen. Intuitively I feel that this is a security issue, but don’t understand nearly enough about internet security to know if I’m right to be concerned,

I’d be grateful if better informed forumites could enlighten me, please.

Mark

 

[dunedin]

Certainly very bad practice to email a password in clear / unencrypted email - unless it is a temporary one use only one to be changed immediately, eg after a password reset request.

But firstly, are you sure the original email was genuine and not a phishing one? Worth phoning Jimmy Green to confirm if genuine, and to point out very poor practice if it is.

 

[Tomaret]

Certainly very bad practice to email a password in clear / unencrypted email - unless it is a temporary one use only one to be changed immediately, eg after a password reset request.

But firstly, are you sure the original email was genuine and not a phishing one? Worth phoning Jimmy Green to confirm if genuine, and to point out very poor practice if it is.

Thanks for your response. I have contacted Jimmy Green and their response suggested that the password sent by them was automatically generated, which clearly it was not. Either they don’t know how their system works, or it doesn’t work as they thought it would.

 

[ShinyShoe]

Sending a password is frowned on 'cause email isn't secure.

However, what REALLY matters is if the password is stored in plain text in their database. I'd be surprised if anyone does this these days... but I know at least one major internet provider can see all their customer's passwords... yes PlusNet - a disgrace!

 

[Cantata]

I did the same thing today and was very surprised to see my password in clear in the registration confirmation email.
Anyway, I went back onto their site and changed it.

 

[Tomaret]

I did the same thing today and was very surprised to see my password in clear in the registration confirmation email.
Anyway, I went back onto their site and changed it.

Presumably that didn’t generate another automatic response with the same problem?

Mark

 

[Cantata]

Presumably that didn’t generate another automatic response with the same problem?

Mark

I did wonder if it might, but it hasn't. So far.

 

[Neeves]

I received the same request, in sunny Australia. I did buy something from JG some years back and had it delivered to our daughter in the UK whom we visited soon after it arrived.

However the email request to re-sign is 'odd'. They suggest that if you do not sign in they will delete your old details and those of anyone else who does not sign in. I get offers of mailing lists, they are worth money - why would anyone want to destroy marketing information and a 'free' data base of potential customers?

I'm not updating my details. Not because I do not like JG - but if I need something - I know where they are - I do not need reminding.

 

[RobbieW]

Possibly connected with GDPR ?

 

[Cantata]

Yes it's to do with GDPR, it says so.
It seems that the effect of GDPR on stuff like this is being interpreted in many different ways. I don't actually think they needed to dump all their existing contact details, because as I understand it the new rules are not retrospective.

 

[jac]

Yes it's to do with GDPR, it says so.
It seems that the effect of GDPR on stuff like this is being interpreted in many different ways. I don't actually think they needed to dump all their existing contact details, because as I understand it the new rules are not retrospective.

They are not retrospective ( so historically you can't be done for over retention of data for example) but from the end of May they can only retain data where there is a clear business need in order to fulfill the service you are undertaking with them OR where you have given specific consent.

So buying something - they need to retain the data to send your order and deal with any account enquiries afterwards - so basically accounting / tax driven.

If you haven't bought in a while then they don't need your data so it comes down to why would they retain it?

From may - the ICO could take action for data retained beyond may if no consent.

I assume that Jimmy Green have looked at it and decided that the logistics of only deleting data from their old website and porting the rest to the new site is too expensive / time consuming so instead will simply delete all records from the old site and start again from scratch with valid consents in place.

 

[RobbieW]

Yes it's to do with GDPR, it says so.
It seems that the effect of GDPR on stuff like this is being interpreted in many different ways. I don't actually think they needed to dump all their existing contact details, because as I understand it the new rules are not retrospective.

hmm, not sure. Certainly the RYA have asked all newsletter recipients to revalidate thier choices or be dropped from the list

 

[duncan99210]

It's a very simple way for them to comply with the GDPR. Part of the process of implementing the new regulations is to conduct a data audit and to obtain explicit consent for all data held. If you purge your old data as JG is doing and get people to re-register, you remove the audit requirement (for the time being) and by using a consent tick box on the re-registration form you cover that angle as well. Simple and automated, no expensive humans involved in looking through ancient email addresses....

 

[Tomaret]

Re: Jimmy Green Website - Company response

Jimmy Green contacted me this morning to say that they have removed the plain text password from the automatic response.

Mark

 

[[70521]]

Re: Jimmy Green Website - Company response

As I use the email address for the boat then I don't really care what was on the reply.