Hacker cracks Engin's CRM system

Hacker cracks Engin's CRM system

Summary: Fledgling Internet telephony vendor Engin was left red-faced after critical customer data was publicly compromised when a hacker exploited flaws in its customer relationship management (CRM) software. Engin said it had initiated a full-scale review of all programming processes after one of its users on Wednesday made a post on broadband information site Whirlpool revealing how to obtain details of other customers' orders over the Web.

Fledgling Internet telephony vendor Engin was left red-faced after critical customer data was publicly compromised when a hacker exploited flaws in its customer relationship management (CRM) software.

Engin said it had initiated a full-scale review of all programming processes after one of its users on Wednesday made a post on broadband information site Whirlpool revealing how to obtain details of other customers' orders over the Web. The problem was fixed the following morning -- before anyone could take advantage, the vendor said.

Engin chief executive Ilkka Tales said "we've...basically [changed] the processes in which we release changes, to make them sure they're completely tested and compliant before we release them onto the Web."

The author of the post said the technique was as easy as changing an order number in a Web address header.

"[There is] not even a simple check to see if your logged-in account number matches the one that owns the order," he said.

A similar technique had previously allowed him to pick any Engin number and freely divert it to whatever phone number he wished, he added.

Tales conceded the problem existed, but denied anybody had taken advantage of it.

"My understanding of it was that the [Whirlpool] customer could, by second-guessing other customers' order numbers, view someone else's purchase order," he told ZDNet Australia, admitting this would reveal details of the order such as the customer's name and delivery address.

Tales said no credit card information was disclosed in that part of the CRM system and blamed the problem on errors by the programmers Engin contracted to build its CRM.

The Engin user denied he had maliciously used any compromised customer data.

"I did nothing with the data I was able to find," he wrote on Whirlpool's user forums. "The only reason I posted here was because I had tried multiple times to get Engin to fix the problem, and they didn't."

Despite this, the user had earlier claimed he had rigged the CRM to divert one of his cancelled Engin phone number to his mobile phone.

"I therefore now have a free number diverting to my mobile at no cost to me -- I don't use it, but it sure shows that Engin have some major problems," he wrote.

Tales wrote into the broadband Web site to say "it should not take a Whirlpool post to fix an issue which has been reported. We have processes in place for collecting customer issues, this has clearly failed."

Engin has around 9,000 customers, according to a recent statement it made to the Australian Stock Exchange.

Topics: Unified Comms, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • blame

    With outsourcing becoming the real rage, I love the way Engin blame its hired contractors for the mistakes. Never mind ALL programmers make mistakes, and its up to their own testing procedures to catch them.
    How about taking some responsibility for their decisions.
  • Hacker?

    Where do you get off saying that the person is a hacker? Do you have proof of this? Maybe they accidentally found the fault.

    Oh thats right, I forgot. You are the media, you can make comments that are based on no fact at all!
  • agree

    I totally agree. It's far too easy for some journo to do a slap dash write-up with no regard for the consequences and still collect their pay at the end of the week.

    A ZDNet journo (all all writers) should know better than to automatically use the term "hacker". Referring to him as a "whistle blower" would have been much more suitable in this case.

    Ironically, zdnet.com.au has placed itself in a similar precarious position by not having any contact numbers either on the site or in the White Pages. This is a layer of separation between management and the public - much the same as Engin has. It may have some benefits, but it's going to bite you in the end.

    Andrew Smith
    Brisbane, Australia.
  • Disgusted.

    It is amazing that Zdnet has chosen to call this person a hacker. With all the negative connotations that term carries and implies.

    What the person in the Whirlpool article did was expose a weakness. To call this hacking is outrageous.

    The staff writers who chose to use the term
  • Journalist reponse

    hi there, thanks for your feedback on the article. I chose the word 'hacker' as the Whirlpool poster had broken into Engin's CRM and diverted calls to his mobile phone - thus in this case he was taking advantage of the poor CRM security to some extent.

    In addition, the word is a quick way of conveying that someone broke into a system - whether for good or ill. Both white hat (good) and black hat (bad) hackers exist.
    In answer to the query about contact information, my e-mail is renai.lemay@zdnet.com.au, and my phone number is 02 8514 9948. I would be happy to take your call.
    Kind regards,
    Renai LeMay
  • Kudos

    Hi Renai,

    Kudos to you for popping in with an explanation and a reply.

    Andrew Smith
  • Misleading


    I have e-mailed you about the "hacker" term you chose to use - before I saw the comments here.

    You said that "both white hat (good) and black hat (bad) hackers exist". This may be true, but the term is almost always associated with the black hat variety. I guess you are implying here that you see me as a white hat hacker, however I don't. Seeing myself referred to as a "hacker", with my full name and location intact, was not a pleasant suprise.

    As I said in my e-mail, I would appreciate if you could remove the term from your article.


  • Stupid journalists

    I happen to know the guy concerned here, and he simply is not a hacker. He's a pretty decent guy, a good web designer and a decent programmer. Is every who finds a security hole a hacker?

    Typical lame, sensationalist ZDNet/CNet reporting. I feel sorry for all the people who believe the stuff you lot 'report' on and actually think it's true.
  • Cowardly stone thrower

    It was in kind regard for Renai to post her details and explain her terms.

    You on otherwise enjoy hiding behind anonymity and hurling abuse.

  • Hacker...

    Hacker is a term that originated from highly proficient programmers that 'hacked' code together quickly, or working at low level code, rather than a 'cracker' who gained illegal access or commits cybersabotage. As usual, a couple of hollywood flicks and a few years of press in the 90s and we have transformed the term.

    'White hat' hacking or 'ethical cracking' is still exactly that - cracking.

    If Tims actions were ethical he would not have posted it to a public forum, not would he have 'stolen' communication time by illegally forwarded a previous account to his mobile.

    Tim, you have demonstrated that your actions are not quite those of a white night, but seeking self gain.
    It's your bed, just how you made it, time to lie in it.

    ps - I'll stick to being the sort of hacker I am, on the golf course.
  • Yeah, righto.

    You miss a minor detail... that Tim REPEATEDLY tried to contact the company about it. They still didn't fix it. He THEN put it through to his phone to make a point. Posting it publicly MADE them fix it.

    You paint Tim as the bad guy, because he 'cracked' their system. So doing something that CAN be unethical and wrong, to prove why something should be fixed, is wrong because it breaks 'the rules' i.e. never hack because it's 3V17!!!11oneOMG

    Bloody legalists.
  • Heh

    Renai is a he. :P

    It was nice of him to remove Tim's name and location from the article.
  • Oops

    I was actually trying to reply to one of the posts above.
  • Hacker or Helper?

    Imagine you see a parked, unattended, full-to-brim delivery truck with the doors left wide open. You notice that the truck has the keys in the ignition.
    You tell the store the driver has left his doors wide open and keys in ignition and this requires immediate attention. No action. You try again. No action. <p>

    In the meantime, you've been walking back and forth, checking to see if the truck is secured, yet. Eventually you call out in public, where you know you will be seen and heard, saying that the store needs to get someone out there to secure that truck. Voila! Truck is secured.<p>

    Is this hacking?
  • wow..

    Heated discussion..! As a newbie to the industry I can see why people have become upset with the term hacker, and i'ts a shame it took engin so long to fix the problem which had been brought to their attention repeatedly before the so called "hacker" did what he thought was necessary to get some atcion.

    However, I can see where the journalist is coming from and I think its great that he has voiced his opinion also.

    There are many more voice providers out there such as PennyTel.