Europe South Asia Asia Pacific Americas Middle East Africa BBC Homepage World Service Education

Front Page



UK Politics







Talking Point

In Depth

On Air

Low Graphics

Friday, May 7, 1999 Published at 15:28 GMT 16:28 UK

Business: The Company File

Crack in Egg's security

It's security, but not as you'd want it

UK Internet savings bank Egg, owned by Prudential, has rushed to close a security flaw that allowed some users to see other potential savers' confidential financial information.

Egg did not make the security flaw public, but BBC News Online was alerted to the problem by two of its readers.

One of them called the lack of security "very worrying".

New site with flaws

The fault developed 10 days ago when Egg moved its operations fully to the Internet and relaunched its Website with new technology.

Several people who tried to apply online for an Egg account, suddenly saw somebody else's application flash up on the screen - including confidential information like home address, phone numbers, e-mail address, the amount of money to be invested and other details.

Two shocked customers alerted Egg to the problem, whose IT team then desperately tried to track down the fault.

Peter Marsden, IT director at Egg, told BBC News Online that the flaw was corrected during the afternoon of the same day.

Encryption breaches security

[ image: Other people's personal details flickered on the screens of Egg applicants]
Other people's personal details flickered on the screens of Egg applicants
Ironically, the problem was triggered by Egg's own security measures.

People who try to apply for an Egg account are asked to log on to the system by identifying themselves with their e-mail address and a password.

This information is then encrypted and used to 'log the session', i.e. make sure that the computer makes the right connection between the Internet user and its own electronic records.

However, the new system was not configured to cope with long e-mail addresses. Every e-mail address longer than about 30 letters was automatically truncated.

Because of the encryption process, people with long, albeit very different e-mail addresses, could end up with identical IDs.

The flaw became apparent when, for example, mandatory sections in the application form were not filled in correctly and Egg's web server sent back the page demanding additional information.

At this point, a page containing confidential information could be sent to somebody else with the identical ID.

If hackers had been aware of the security flaw, they could have deliberately flooded Egg's servers, identifying themselves with long, but false e-mail addresses, hoping to glean personal information of Egg customers.

Egg has now ironed out the problem and changed the system so it can cope with e-mail addresses of any length.

Online, and growing

The Egg savings account has been a phenomenal success, exceeding the wildest expectations of parent company Prudential.

Within six months the company managed to reach its five-year target, with 500,000 customers who have put £5bn in its accounts.

To help its customers to get online, the Egg has launched a free Internet access service, similar to Dixon's succesful Freeserve.

However, the success has come at a price. The Egg venture is losing millions, and Prudential does not expect it to make money for some years.

Advanced options | Search tips

Back to top | BBC News Home | BBC Homepage | ©

The Company File Contents

Relevant Stories

28 Apr 99 | Your Money
Egg shells out millions in losses

27 Apr 99 | Your Money
Egg batters rivals

Internet Links


The BBC is not responsible for the content of external internet sites.

In this section

Microsoft trial mediator welcomed

Vodafone takeover battle heats up

Christmas turkey strike vote

NatWest bid timetable frozen

France faces EU action over electricity

Pace enters US cable heartland

Mannesmann fights back

Storehouse splits up Mothercare and Bhs

The rapid rise of Vodafone

The hidden shopping bills

Europe's top net stock

Safeway faces cash demand probe

Mitchell intervenes to help shipyard

New factory creates 500 jobs

Drugs company announces 300 jobs

BT speeds internet access

ICL creates 1,000 UK jobs

National Power splits in two

NTT to slash workforce

Scoot links up with Vivendi

New freedom for Post Office

Insolvent firms to get breathing space

Airtours profits jump 12%

Freeserve shares surge

LVMH buys UK auction house

Rover - a car firm's troubles