Security researcher warns of power company customers' passwords being stored in the clear, software provider responds with lawyer-letter

SEDC is an Atlanta-based company that provides back-ends for utility companies; a security researcher discovered that the company stored his password in the clear. The company's products have more than 15,000,000 users, whose logins and passwords are potentially also stored in plaintext. When the researcher alerted the company about this, the company ignored them, then denied that there was any problem, then demanded that the researcher not communicate about this except to SEDC's general counsel.

The responses from SEDC general counsel Mark Cole split hairs over the security implications of storing unencryted passwords, insisting that because this was not prohibited by PCI-DSS, an industry regulation governing storage of customer billing information; and because logging in would not reveal billing information, there was no problem.

The security researcher who discovered the password problem has received assistance from the Electronic Frontier Foundation (disclosure: I am a consultant to EFF).

Cole eventually sent the researcher an email that implied that the company had reformed its password handling, but with a great deal of worrying ambiguity.

Storing passwords in the clear is an industry worst-practice. Because so many people re-use passwords, password breaches are a useful source of data for "credential stuffing" attacks on other sites; if SEDC or its customers suffer a breach, they could unleash millions of passwords that could be used to compromise the users of its services.

So is the situation "fixed"? It's unclear. SEDC's counsel—who did not respond to Ars request for an interview—gave as little technical information as possible during the entire 120+ day saga with X. "In 2019, it's ridiculous that vendors are replying to security researchers via general counsel, not a bug bounty program," Cardozo noted. Cole's final correspondence with X is both careful and cagey. It says, in part:

I wanted to let you know SEDC has changed the way our software handles "forgotten password" requests for the payment portal, and we have disclosed the change to all our Customers. We also have disclosed this change and the history of your communications of which we are aware—with SEDC and our employees, with some of our Customers, and with social media generally—in detail to our Board of Directors, which is comprised of a dozen of our Customer-Members. They do not believe any further "disclosure" by SEDC is needed or appropriate.

Given that there has been no PCI violation nor any indication of third party access to anyone's PII (in fact, the plain-text password at issue does not enable such access), it is unclear what "disclosure" you think should be made, much less under what authority you think such a disclosure would be required.

Mark Cole, General Counsel for SEDC

What Mr. Cole did not say is that "the passwords are now encrypted," let alone that "they are encrypted now, using a strong hash, with cryptographic salt unique to each record."

Plain wrong: Millions of utility customers' passwords stored in plain text [Jim Salter/Ars Technica]

(via /.)