We were very dismayed when we were contacted by concerned clients who had read the Fin24 article with the headline: “Massive Afrihost security flaw exposed”.
Here at Afrihost we are very serious about keeping our clients' information safe, and we'd like to set the record straight.
The premise of the article is as follows:
A client was able to request his password from a support agent for his ADSL user account. This led the client in question to assume that all client details are stored in plain text and can easily be compromised.
What’s really important to note is the following:
1. There was no breach of data at any time.
No databases, personal information, payment information or account details have been breached or hacked in any way. The article is based on hypothetical scenarios conceived by the author of the article, who was never (at any time) in possession of the data mentioned.
2. Our clients are not at risk.
Since no data was actually obtained, our clients are not at risk at all. We have also now ensured that consultants cannot view encrypted data, so there is no risk to clients whatsoever (based on the scenario in this article).
3. Passwords were never stored in plain text.
The writer makes several assumptions regarding the state of personal data, such as passwords being stored in plain text, which are inaccurate. Passwords are encrypted.
4. The information relates ONLY to ADSL usernames and passwords.
No payment information, personal information or ClientZone user login information were ever at risk. At absolute worst, the information in question could only be used to login to an ADSL account (and one that allows concurrent logins). Any client could still view their ADSL sessions via their ClientZone and request any unknown numbers be blocked from accessing their account. There would be zero possibility that these details could ever lead to obtaining payment or personal information.
5. Our team of staff are trustworthy
The article only refers to scenarios where a staff member of Afrihost could access vulnerable information. Our staff have no motivation to steal data from our clients, as they receive free internet for both fixed line (DSL or Fibre) and Mobile Data. In many cases, our staff give out their personal accounts to help our clients test their connectivity. While we did trust our staff with access to passwords - this ability has since been removed - this was always subject to identity verification. However, we have removed this feature for our client’s peace of mind and will find new ways to ensure that our clients enjoy the same level of convenience when interacting with our consultants.
We’ve always had to balance our need for increased security and safeguards with our client’s convenience. Changes to our security is in ongoing development at all times, and we had planned to devise a convenient way to roll these out with minimal impact to our clients.
We are now simply fast-tracking that plan and will send out more communication shortly to inform our clients of the changes that will affect their daily transactions with Afrihost.
We welcome any and all security suggestions or alerts from clients or industry experts - We’re always eager to find ways to improve our client’s experience.
However, it would be highly irresponsible for us to conduct this type of conversation in public, or in the press. We prefer to conduct these conversations offline and then work with our team to find the best solutions for our clients.
Sadly, when we were approached by the security expert mentioned in the article, he was not willing to work with us and was determined to go to the press. He originally said he would give us 30 days to respond - and these 30 days have not yet passed. In fact we responded to his suggestions within 48 hours.
Our General Manager also called him personally to request that he work with us so that we did things in the right way, but to no avail.
We were shocked and surprised at the article’s headline, “Massive Afrihost security flaw exposed”, which we feel is both irresponsible and sensational and doesn’t accurately reflect the issue at all.
As mentioned, no data was breached, no personal information was compromised and not a single client was adversely affected in any way.
Since the change to our systems was already planned, we were able to implement it within 48 hours.
Please rest assured that, as an Afrihost client, you not only enjoy our product and services, but also our protection. We are committed to doing everything within our power to ensure that our client’s personal information, payment information and product information is secure and cannot be used in unethical or criminal ways.
If you have any questions whatsoever, please check out answers.afrihost.com where we’ll be posting more information on this and other important topics.