cancel
Showing results for 
Search instead for 
Did you mean: 

Has there been a data breach?

Gerkin
Hooked
Posts: 8
Registered: ‎19-03-2018

Has there been a data breach?

Yesterday both myself and my in laws received a scam call pertaining to be from Plusnet telling us that our internet would be terminated within 24 hours... Usual scam bull****

We are both Plusnet customers and the calls were within an hour of each other. 

I appreciate these scams are on going, we use call guardian so don't normally get bothered but it had to be off for an expected call.

However we/they have never had a call specifically saying Plusnet (always BT) and we have never been called the same time of day before..

Anybody else had similar?

Support say there has been no breach.

13 REPLIES 13
MatthewWheeler
Plusnet Help Team
Plusnet Help Team
Posts: 8,896
Thanks: 1,506
Fixes: 480
Registered: ‎01-01-2012

Re: Has there been a data breach?

Thanks for getting in touch @Gerkin

I can confirm this will have been a random scam call

If this post resolved your issue please click the 'This fixed my problem' button
 Matthew Wheeler
 Plusnet Help Team
grahamn
Rising Star
Posts: 242
Thanks: 21
Fixes: 2
Registered: ‎12-09-2010

Re: Has there been a data breach?

I was going to ask this having had numerous bogus calls like this since June. Nothing before this time. They’re using spoof realistic uk STD codes as their calling id and calling those numbers gets an invalid number automated answer.

Are plusnet sure nothing has happened as it’s ongoing?
Mads
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 1,873
Fixes: 79
Registered: ‎06-08-2018

Re: Has there been a data breach?

Hey @grahamn

Sorry to hear you're getting these calls quite a lot. I can confirm this is scam that has been making the rounds for a while now.

 

As an anecdote this happens with my mobile number every so often, personally I'll send it to voicemail or put the phone down on them after a few seconds if I answer.

 

Thanks.

Townman
Superuser
Superuser
Posts: 22,923
Thanks: 9,542
Fixes: 159
Registered: ‎22-08-2007

Re: Has there been a data breach?

What is PlusNET doing to comply with Ofcom’s CP GC6 requirements? Note it’s the CP’s obligation, not their supplier’s.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

OskarPapa
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 1,325
Fixes: 65
Registered: ‎09-10-2018

Re: Has there been a data breach?

Hi @Townman,

 

As always, thanks for your post.

 

Specifically in relation to call identification: we offer Caller ID and Plusnet Call Protect free of charge to all customers.

 

Further information on nuisance calls can be found via the below link:

 

https://www.plus.net/help/phone/stop-nuisance-calls/

 

Please let us know if you need further information, or if I've missed a crucial point.

 

Townman
Superuser
Superuser
Posts: 22,923
Thanks: 9,542
Fixes: 159
Registered: ‎22-08-2007

Re: Has there been a data breach?

That is well understood but CP GC6 requires that the network drops calls having an invalid CLI. This is a CP obligation.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

JOLO
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 1,149
Fixes: 77
Registered: ‎06-08-2018

Re: Has there been a data breach?

@Townman

 

It's a difficult one to answer this without just saying "we comply", which of course we do, so we went away to speak to the compliance team to try and get you something a bit more substantial than that. 

 

Initially while the conditions state that it's a CP obligation to meet the regulation, it doesn't actually mean we have to implement it, or do the background work involved. So for example we might have an understanding, or contract, with our network provider to facilitate this part of the conditions, and as long as they do this then we would comply - obviously we'd have reports to correlate this when sample data is passed across to the regulators each month, or quarter depending on when they require it as part of that conditions regular audits. 

 

So the calls getting through, or the majority bar margin of errors (if they're allowed), are going to be classed as 'valid' with a presentation number, and a network number for tracing purposes and under the International public telecommunication numbering plan. The problem is that the regulations only apply to the UK, which causes problems for numbers that originate outside of the location where the regulator has any power in which case they offer this advice, and this advice. Even they've been subject to scammers pretending to be them. 

 

As you're already aware we offer the call protect and a range of call features options to also prevent as many unwanted calls to try and meet a specific customer need (like anonymous call reject, choose to refuse). So aswell as any agreement we might have to facilitate our compliance as part of that the features also allow this (these would likely fall under stopping and blocking section)

 

There's always going to be certain situations where some calls just cannot be blocked which is where we're told it being 'technically feasible' comes in, also a number not being diallable doesn't mean it isn't a valid number, companies can impose call features on their line which spoofs the number (for valid business reasons), but also prevents the use of return calls by preventing inbound call barring or busy out call features. We can't get you specifics of what is classed as technically feasible but if you'd like to push for something more then I'd do so in a private manner by probably speaking to Jono who could assist you a little better on a SuperUser level, it's highly doubtful that will be posted in a public manner - other than just saying we are compliant

 

 

grahamn
Rising Star
Posts: 242
Thanks: 21
Fixes: 2
Registered: ‎12-09-2010

Re: Has there been a data breach?

Interesting answer which I’m sure Townman will reply to.

From my perspective as someone receiving nuisance calls that are no from legitimate business but are using local CLI it seems nothing will change and the onus is on the customer to screen and black as the numbers change and evolve.

Is there really no way that even if the end user feeds these into you they could end up on a master blacklist?

Every number - every - if dialled gives a BT “ invalid number” so the ability is there to test whether the called number is genuine.

Despite being TPS registered it makes no difference and when the incoming call goes to voicemail (mobile this time on the PN mobile number range) you get incoherent Chinese sounding ramblings for several minutes.

I sincerely hope there is more to be done as if these calls can legitimately find their way to customers with no further obligation on network operators / providers, I may have to migrate away - Problem was never experienced before PN had our telephony (mobile and landline).
Townman
Superuser
Superuser
Posts: 22,923
Thanks: 9,542
Fixes: 159
Registered: ‎22-08-2007

Re: Has there been a data breach?

The bottom line is that GC6 requires the presented CLI to be a valid number which can be dialled. The network is supposed to drop calls presenting an invalid CLI.

So let’s take the excuses off the table for the moment. Why are calls presenting a CLI with invalid STD codes being routed rather blocked? Call protect is an optional service - GC6 day’s nothing about dropping calls under an optional feature - if the CLI presented is not a valid number the call should not be routed.

Yes there will always be some scammer who spoofs using a valid CLI - but CLI spoofing is not what this requirement is about.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

MauriceC
Resting Legend
Posts: 4,085
Thanks: 929
Fixes: 17
Registered: ‎10-04-2007

Re: Has there been a data breach?


@Townman wrote:
So let’s take the excuses off the table for the moment. Why are calls presenting a CLI with invalid STD codes being routed rather blocked?

Could it be that the revenue earned from the 'Call termination' agreements is sufficient to distort the current business plans?  I'd guess that most of the currently installed gateway software only validates the forward path to ensure that the call can be completed and earn revenue?  Validating the CLI and any presentation number provided in the reverse path is currently only a UK requirement (as far as I can see?) and potentially low on any development agenda.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

Townman
Superuser
Superuser
Posts: 22,923
Thanks: 9,542
Fixes: 159
Registered: ‎22-08-2007

Re: Has there been a data breach?

In which case Ofcom need to grow some balls! It’s a stated regulator requirement which ought to trump any consideration of revenue received by delivering the call.

I see CLI verification an intrinsic part of call delivery - is presented number (at least the STD code) code viable and therefore permits the number to be routed to termination.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

MauriceC
Resting Legend
Posts: 4,085
Thanks: 929
Fixes: 17
Registered: ‎10-04-2007

Re: Has there been a data breach?


@Townman wrote:
In which case Ofcom need to grow some balls! It’s a stated regulator requirement which ought to trump any consideration of revenue received by delivering the call.

It's not that easy Kevin.  Lips_are_sealed   Much of this traffic is international and the 'rules' are complex and arcane particularly in the old PSTN arena.  The more recent VOIP 'rules' are more flexible but, as I understand it, are highly variable by both territory and compliance!  Ofcom has limited influence in this arena.

 

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

Townman
Superuser
Superuser
Posts: 22,923
Thanks: 9,542
Fixes: 159
Registered: ‎22-08-2007

Re: Has there been a data breach?

Hi Maurice,

May be I am missing something here … GC6 discusses call identification in a lot of detail.  Calls carry two numbers...

  • The network number - the number the call originated from
  • The presentation number - the CLI shown to the calling party

A first level check ought to be "Are these numbers the same?"  If they are not then caution in routing ought to be applied.

Whatever the requirements on the presentation number are...

https://www.ofcom.org.uk/__data/assets/pdf_file/0021/116670/cli-guidance.pdf

See 4.10 onwards...

4.10 The General Conditions require that CPs must present a valid, diallable telephone number which uniquely identifies the caller.

• A valid number is one which complies with the International public telecommunication numbering plan (Recommendation ITU-T E.164). Where a UK number is used, it must be a number that is designated as a ‘Telephone Number available for Allocation’ in the National Telephone Numbering Plan13 and be shown as allocated in the National Numbering Scheme.

• A diallable number must be one that is in service and can be used to make a return or subsequent call.

• A number uniquely identifies the caller (which can be an individual or an organisation) where it is one which the user has authority to use, either because it is a number which has been allocated to the user or because the user has been given permission (either directly or indirectly) to use the number by a third party who has been allocated that number.

4.11 The responsibility to ensure that CLI Data fulfils these requirements falls to all CPs involved in the transmission and interconnection of the call. The checks that a CP may be expected to carry out will vary depending on their role in that call.

...

4.15 For calls originated on networks to which the requirements of the GCs do not apply e.g. incoming international calls, the responsibility to check the validity of the CLI Data falls on the CP at the first point of ingress to the UK network. Where the CP at the point of ingress does not reasonably trust the CLI Data that is being provided, or where CLI Data is not available, the CP should insert a CLI from a range that has been allocated to them for this purpose as a Network Number and mark it as ‘unavailable’ so that it is not displayed to the call recipient.

...

4.17 In addition to ensuring that CLI Data is populated properly, General Condition C6 also places an obligation on all CPs to take steps to prevent calls that have invalid or nondiallable CLIs from reaching the called party. This means that CPs who have the technical capability should block or divert such calls. For the originating CP, this means they should not initiate calls that have invalid or non-diallable CLIs. Transit and terminating CPs, where they have the technical capability, should stop calls with invalid or non-diallable CLIs (for UK calls, these are calls using Presentation Numbers that are not from an allocated number range; and for international calls, a number that is not in the correct international format).

I cannot see any room for debate or let here.  Yes there might be a whole rat's nest of vipers in the realms of originating CPs, but the regulations apply to all CPs involved in the process, including the terminating CP.

As for international calls bearing a UK presentation CLI then there is good reason not to trust the presentation CLI.

The end requirement is that calls earing invalid presentation CLIs should not reach the called party.

 

Given the requirements of GC6, how can Plusnet (BT Openreach) shirk the responsibility to inhibit the routing of calls originated from non-compliant parties - wherever they might be located, however they might be sourced?  Overseas or via VoIP, the TERMINATIING CP has equal and full obligations to ensure that the presented CLI is a valid dialable number … or a remit to drop the call if it is not.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.