Hacker cracks Engin's CRM system

Summary:Fledgling Internet telephony vendor Engin was left red-faced after critical customer data was publicly compromised when a hacker exploited flaws in its customer relationship management (CRM) software. Engin said it had initiated a full-scale review of all programming processes after one of its users on Wednesday made a post on broadband information site Whirlpool revealing how to obtain details of other customers' orders over the Web.

Fledgling Internet telephony vendor Engin was left red-faced after critical customer data was publicly compromised when a hacker exploited flaws in its customer relationship management (CRM) software.

Engin said it had initiated a full-scale review of all programming processes after one of its users on Wednesday made a post on broadband information site Whirlpool revealing how to obtain details of other customers' orders over the Web. The problem was fixed the following morning -- before anyone could take advantage, the vendor said.

Engin chief executive Ilkka Tales said "we've...basically [changed] the processes in which we release changes, to make them sure they're completely tested and compliant before we release them onto the Web."

The author of the post said the technique was as easy as changing an order number in a Web address header.

"[There is] not even a simple check to see if your logged-in account number matches the one that owns the order," he said.

A similar technique had previously allowed him to pick any Engin number and freely divert it to whatever phone number he wished, he added.

Tales conceded the problem existed, but denied anybody had taken advantage of it.

"My understanding of it was that the [Whirlpool] customer could, by second-guessing other customers' order numbers, view someone else's purchase order," he told ZDNet Australia, admitting this would reveal details of the order such as the customer's name and delivery address.

Tales said no credit card information was disclosed in that part of the CRM system and blamed the problem on errors by the programmers Engin contracted to build its CRM.

The Engin user denied he had maliciously used any compromised customer data.

"I did nothing with the data I was able to find," he wrote on Whirlpool's user forums. "The only reason I posted here was because I had tried multiple times to get Engin to fix the problem, and they didn't."

Despite this, the user had earlier claimed he had rigged the CRM to divert one of his cancelled Engin phone number to his mobile phone.

"I therefore now have a free number diverting to my mobile at no cost to me -- I don't use it, but it sure shows that Engin have some major problems," he wrote.

Tales wrote into the broadband Web site to say "it should not take a Whirlpool post to fix an issue which has been reported. We have processes in place for collecting customer issues, this has clearly failed."

Engin has around 9,000 customers, according to a recent statement it made to the Australian Stock Exchange.

Topics: Unified Comms, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.