Seems like The Reg has a personal angst against PlusNet!  

Yep. That's what can happen if a company's policy on damage limitation is to bury their heads in the sand.
Not being told anything is almost worse that being told "we're satisfied".
Frankly, it's downright insulting and just shows up exactly the style of management going on. I've worked for places where management would do anything to avoid putting their hands up when they've done something wrong (or simply something wrong has happened), and I do mean anything. I couldn't get out of there quickly enough!
It's this sort of behaviour that could make me leave, no matter how satisfied I am generally with the internet service I have.
...and there's still the open matter of the illegal acquisition of my, and our, personal data.

Quote from: Townman

Seems like The Reg has a personal angst against PlusNet!

Don't worry about The Register, they are pretty much as low as it goes with regards to gutter press tech reporting.  They jump on any bandwagon that might mean some more hits to their website.  it's just a lame clickbait lair.
It's so bad, some of their worst writers even have GreaseMonkey scripts developed, so you don't have to read their pathetic drivel.
http://tinyurl.com/orlowskifilter

I'm surprised after more than a month, that we haven't been given some feedback (or been asked more questions) about where the investigation has gone. I've just done a very quick check on the numbers coming in (and now being bounced) and it's at 111 in the last 30 days. I note that the SpamAssassin score is typically 8-10 with a few lower and few higher, but this may mean that a lot of people are just not seeing them as a result.
So far (please correct me if I'm wrong) we know only that it's specific email addresses used in the billing system (not as some have said, relatively non-specific plusnet@... , not the forum, and not all accounts, which is where the mystery potentially lies).
The most likely leak is obviously a third party mailing company that have been trusted with our email addresses (I noted in those first 30 emails that my name was never mentioned, so I do suspect this is just email addresses and nothing else.) As stated earlier in the thread (I know that Mark - Carrot63 mentioned this) a complete third party opt-out, or better still a deliberate opt-in, should be in place.
The next most likely is that another Plus Net system that uses these email addresses has been compromised (see below).
The least likely is that there's a network node somewhere between us spam receivers and Plus Net (or third party) email servers which is sniffing packets to pull out addresses for exactly this purpose.
So if we take off the tin foil hat, for those that are receiving the spam, which Plus Net services (for want of a better term) have you used:
Recommend to a friend? (form fill - sends as though it is us, not Plus Net)
Support tickets? (uses the billing email address, and I can recall putting in a query around 2 years ago, during what turned out to be planned maintenance downtime)
Any others I've forgotten?

To keep things productive, if you're reading this, and not receiving spam: Congratulations. Don't tell us. (Except for Jim, obviously)
The Register comments have today provided a couple of useful posts, sadly made anonymously:
I'm in an unusual(!?) position in that I control several plusnet accounts (non-tech family members / friends), each with a unique plusnet-only email address to <<a domain>>.
Thought it weird that only some were receiving said spam - thinking about it, only those on which I have ever raised a ticket...
I'm annoyed by this when it happens, because I'm essentially otherwise spam free. Sure, for the 15 or so domains I'm running, you always get spam to info@, that's a given, and the tech contact listed on the Whois records always has a trickle, but it's easy to direct into one folder and quickly check over. When you know exactly where the address was given, and are confident about your own security measures (only TLS connections,etc.) it's pretty rude when you're just dismissed in this way.
James

Excellent post HP/James
I was going to suggest that someone with a post at the beginning of the thread could perhaps collate the facts and speculation to date to weed out something of the duplication, or perhaps OldJim would kindly use his miraculous powers facilitate such a post in the appropriate place.
Tickets is an interesting one, because I suspect it would mean different things depending on what was being raised. For example all billing email addresses would receive a monthly payment notice, and this and other 'service' notices all appear on the tickets list. Other support or billing queries raised by the user obviously also appear here, but must also presumably be passed to other departments to deal with. The question might then be as to whether the details are also passed along as part and parcel, or as seems more likely to me, a reference only is passed on with any contact facilitated through the tickets system via the ticket reference/user ID. Some requests are further passed on to BT and other 3rd parties involved in fixes and they may also be given contact details. I've only had this once. So there may be scope beyond the tickets system itself for stuff to get lifted via a breach or disgruntled staff member. Our account passwords are not so much as hashed, so how secure the rest of our details are is in my mind open to question.
The account in question in my case (my parents) has had all the usual service requests, but as as I recall no other support tickets raised EXCEPT for the one a week before the spam started, which was for account cancellation. As part of this the original billing email was changed for my own at the time of cancellation to catch quickly any last billing issues. The address would also have had any of plusnets internally run marketing.
I also find it interesting that all of the spam (in my case) appears to originate from the same place, with an 'unsubscribe' link at bottom, and a common address in the US for the company supposedly responsible. I would characterise the mail as 'the tacky end of marketing' rather than the more normal 'medications and casinos' drivel that I'm normally deluged with. As a gut feeling, this to my mind lends credence to one of PNs "trusted 3rd party marketing partners" playing fast and loose with the data in a way that I'm sure would surprise no one, but annoy everyone.

Quote from: HolaPussycat

...which Plus Net services (for want of a better term) have you used: Recommend to a friend? Support tickets? (uses the billing email address)

You might also add:
- Email address type (Plusnet system/ own domain)
- Address unique to plusnet billing? (unused for other purposes)
- Length of time account held with plusnet?
- Length of time address was used with account?
- Address passed to third party during support?
- Are you a Broadband Phone user?
- Are you a CGI-Hosting platform user?
- Has the address been used for 'status update' emails?
My own responses would be:
- Recommend to a friend? - Not used
- Support tickets? (uses the billing email address): - Yes
- Email address type (Plusnet system/ own domain): - own domain
- Address unique to plusnet billing? - Yes
- Length of time account held with plusnet? - 5 years
- Length of time address was used with account? - 5 years
- Address passed to third party during support? - No
- Are you a Broadband Phone user? - No
- Are you a CGI-Hosting platform user? - No
- Has the address been used for 'status update' emails? - No
Finally, does anyone know if we are required to raise a complaint with PN before raising one with the ICO? If so, does the process have to be followed to completion before contacting the ICO?
Edited to add to list 16/12/2014

Another possibility with regards to tickets is the survey at the closure. SurveyMonkey I believe has been used for a few years now. Could be a red herring though as it's possible to have things set up in a way that's pretty much anonymous to SM (ie no address or personally identifiable info and just an ID only known by PN is yours).

Hadn't thought of those, but I'd be surprised if the surveys worked on anything other than a unique ID with no connection to PN per se. The account in my case wouldn't have been used to do one, because both setup (IIRC) and cancellation were done by phone.

Hmm... good post indeed James.
I've never recommended a friend (don't have any) but I have used support in the past. Not for a while though - maybe two years ago.
@carrot63, re. the ICO, all it says is the company should have issued a final response to you. Given that PN hasn't said anything for ages, I'm taking the last thing it said here as its final response.

Quote from: carrot63

Hadn't thought of those, but I'd be surprised if the surveys worked on anything other than a unique ID with no connection to PN per se. The account in my case wouldn't have been used to do one, because both setup (IIRC) and cancellation were done by phone.

The fact that contact was by phone is irrelevant. I have had several Survey Monkey's in the past. IIRC each resulted when a ticket on the account was closed, the last one by a member of staff a few months ago. Never had one resulting from automated tickets -eg billing etc.

Support tickets is an interesting one - it would certainly explain why only some addresses are affected.
My answers:
- Recommend to a friend? - Not used
- Support tickets? (uses the billing email address): - Yes
- Email address type (Plusnet system/ own domain): - own domain
- Address unique to plusnet billing? - Also used for this forum
- Length of time account held with plusnet? - 1.5 years
- Length of time address was used with account? - 9.5 years
- Address passed to third party during support? - No

I just want to repeat some information I gave very early on in this thread - the spam I have received has been to two different email addresses, one used only with Plusnet and the other used only with madasafish, for an account that I look after for a relative. The spam to each has been about half and half and it has all been from the same source, that company in New Jersey. The madasafish email address has never been used on the Plusnet website in any way, shape or form. I have still only had about a dozen messages in total, not the hundreds that some have, and they have come in three small waves with a significant gap between them. The last one I received was on 9 December ("Remortgage for less").