Results 1 to 15 of 15
  1. #1
    Join Date
    Sep 2012
    Posts
    87

    Concerned about Hetzner's data protection and security policies

    So I bid on a cheap server at Hetzner yesterday and won - it was a steal and perfect for running development projects on.

    I received a confirmation email shortly after and was told I would have to wait for 1 further email before the order could be completed.

    This morning I got an email saying that because this is my first server with them I would have to send them a copy of my passport and credit card which they stated would be deleted after 3 weeks.

    I work in Privacy so I don't just hand over sensitive data without questioning the purpose of the requirement and what security would be in place were I to hand over such data so I sent Hetzner the following questions:

    1. How are the images stored?
    2. What access control methods are in place & is there an audit trail?
    3. Are you PCI/DSS Certified if so please send me a copy of your certificate?
    4. Do you require a copy of the front and back of my debit card?
    5. Are the systems the images are stored on backed up?
    6. How do you destroy the images after three weeks and are backups also destroyed?
    7. How can you confirm to me the images have been destroyed?


    Their response was less than satisfactory:

    1. The images are stored in an internal database and will be automatically deleted after 4 weeks.
      (So why did the email say 3 weeks?)
    2. We cannot give you information about our internal control methods.
      (They expect me to hand over sensitive personal data but refuse to confirm whether or not they have systems in place to protect that data?)
    3. No, we are not PCI/DSS Certified.
      (They handle credit card details of many thousands of customers yet they are not PCI/DSS certified? PCI/DSS compliancy certification exists for a reason, one has to wonder why they have not done this.)
    4. A copy of the front is sufficient.
    5. No.
      (Sorry but I find this hard to believe - a server company that doesn't back up its own servers?)
    6. We are using a regular delete operation on our file system.
      (They stated in answer to question 1 that the images are stored in a database - so which is it, file system or database?)
    7. We do not offer confirmation of the delete process.
      (They demand that I hand over these highly sensitive data yet refuse to confirm that the data has been deleted?)


    I don't think scans of passport and credit cards are necessary data for the purpose of provisioning the service and I don't believe Hetzner are appropriately adhering to the principles of Data Protection required under German law. I will be writing to the German Data Protection and Freedom of Information Commissioner for clarification on this matter.

  2. #2
    Join Date
    Jan 2011
    Location
    Dallas, TX
    Posts
    1,479
    If you can't trust a reputable company like Hetzner with your photo ID and other basic information don't use them, go somewhere else. Welcome to the world of server hosting. I am honestly surprised they even replied and answered your questions, some people would just close it and move on.

  3. #3
    Join Date
    Sep 2012
    Posts
    87
    Quote Originally Posted by Mikeambrose3 View Post
    If you can't trust a reputable company like Hetzner with your photo ID and other basic information don't use them, go somewhere else. Welcome to the world of server hosting. I am honestly surprised they even replied and answered your questions, some people would just close it and move on.
    So reputable they are not even PCI/DSS certified...

    Trusting any company with sensitive data when they refuse to illustrate their security and data protection policies is incredibly irresponsible and stupid, irrespective of their reputation.

  4. #4
    Join Date
    Jun 2009
    Posts
    1,219
    "PCI/DSS certified" means nothing over here in Germany. Especially if you are a budget provider like hetzner. You want a PCI/DSS certification and all that stuff? Pay twice to three times the money. Period.

    And like Mikeambrose3 said: If you do not trust hetzner with your information - Shop somewhere else. It is very common for dedicated server providers to ask for information like this and believe me - not half of them are as professional and trustworthy as hetzner. And only a third of them would take the take to answer a question like yours for a "handful of dollars" server. Not that I do not understand your concerns. But, as said - If you want it premium - pay premium.

  5. #5
    If a provider is not asking for verification on an order then the risk for fraud is greatly increased which not only a danger for them but also the customers on their network. While there are other methods for verification aside from scans of passport/CC, you shouldn't be surprised that they are asking for this. There is a very high risk for fraud in the hosting industry.
    NewYorkCityServers.com - Specializing In Dedicated Servers and Financial Hosting
    True Enterprise Service, Tier 3 Manhattan Datacenter, 100+ Gbps Network, 100% Uptime Guarantee, 24x7 Support - Email, Tickets, Phone and Live Chat
    Bandwidth Graphs, Remote Power Control, Automated OS Re-installs, Secured IPMI+KVM Included With Every Server

  6. #6
    Join Date
    Mar 2009
    Posts
    389
    Quote Originally Posted by Paladine View Post

    I work in Privacy...
    You work in Privacy ? Where do you work and which certifications do you hold ? Are you certified to assess privacy policies, if so please attach your certifications/credentials.

  7. #7
    Join Date
    Apr 2003
    Location
    Atlanta, Jawja
    Posts
    3,066
    Quote Originally Posted by softshop011 View Post
    You work in Privacy ? Where do you work and which certifications do you hold ? Are you certified to assess privacy policies, if so please attach your certifications/credentials.
    Ouch! As painful as that is, that's definitely a good "Quid Pro Quo".

    Paladine, Nick brought up a great point: You would be SHOCKED if hosting companies actually gave you figures for the amount of fraud that actually occurs or gets stopped within this profession/industry. I won't give you EXACT numbers but will generalize it, I rejected at least 9 orders for every one legit order as blatant or potential fraud back when I was reviewing orders. Sometimes even more than that.

    As someone recently said, if you can't trust your hosting provider with your ID, how can you trust them with your website?

    Hetzner does have issues from time to time, but they've never had an issue with their customer information being compromised (to date, KNOCK ON WOOD). I can guarantee you that if they had, WHT would be inundated with a litany of posts regarding this issue.

    My recommendation: Provide them with the requested information or find another hosting provider. They were one of the companies I was looking at for collocation many years ago. Only reason why I didn't personally go with them was their setup fees for half a rack. They met all of my other needs quite nicely.
    Douglas Hazard - Certifiable Sports Junkie and Sports Community Enthusiast

    Host of Two Cents Radio - Follow @TwoCentsRadio on Twitter (@BearlyDoug on Twitter)

  8. #8
    Join Date
    Jun 2011
    Location
    Internet
    Posts
    2,606
    Quote Originally Posted by Paladine View Post
    I work in Privacy
    What happened to working in 'consumer protection law and human rights all over the world'?

    And where can I get a job like yours? Sounds nice and diverse changing drastically in a matter of months.



    Fun and games aside, you should have clarified the position in German law on this before attempting to drag their name through the mud. I'd suggest everyone take your post with a grain of salt until the position of the law on the matters you raised are clarified.
    Last edited by Afterburst-Jack; 09-26-2013 at 06:23 PM.

  9. #9
    Join Date
    Jan 2011
    Location
    Between Earth & sky
    Posts
    473
    Hetzner is a big company, If you don't like to share your info just try any other company
    VMakerHOST Providing Amazing Services since 2010
    Three Datacenter Locations: Chicago, Netherlands & Singapore
    █ Reseller Hosting with WHMCS | End User Support | Premium Network | 24x7-365 Support
    ShoutCAST, Web Hosting, Virtual Servers & Dedicated Servers. Managed options available

  10. #10
    Join Date
    Aug 2010
    Location
    Belgium
    Posts
    654

    Concerned about Hetzner's data protection and security policies

    Hetzner asks this for every new customer I think. It's secure.

    This is just being paranoid.
    AssetGateway
    █ Skype da_arco

  11. #11
    Join Date
    May 2012
    Posts
    832
    Quote Originally Posted by Douglas View Post
    Ouch! As painful as that is, that's definitely a good "Quid Pro Quo".

    Paladine, Nick brought up a great point: You would be SHOCKED if hosting companies actually gave you figures for the amount of fraud that actually occurs or gets stopped within this profession/industry. I won't give you EXACT numbers but will generalize it, I rejected at least 9 orders for every one legit order as blatant or potential fraud back when I was reviewing orders. Sometimes even more than that.

    As someone recently said, if you can't trust your hosting provider with your ID, how can you trust them with your website?

    Hetzner does have issues from time to time, but they've never had an issue with their customer information being compromised (to date, KNOCK ON WOOD). I can guarantee you that if they had, WHT would be inundated with a litany of posts regarding this issue.

    My recommendation: Provide them with the requested information or find another hosting provider. They were one of the companies I was looking at for collocation many years ago. Only reason why I didn't personally go with them was their setup fees for half a rack. They met all of my other needs quite nicely.
    http://www.webhostingtalk.com/showthread.php?t=1273461
    http://www.h-online.com/security/new...d-1884574.html

  12. #12
    Quote Originally Posted by Amitz View Post
    "PCI/DSS certified" means nothing over here in Germany. Especially if you are a budget provider like hetzner.

    Really? And they can ignore it because they are a budget provider?

    Good one.

    The op has a valid point, if they are handling card data they should have the required certs. The UK company I work for decided against getting them, we just stopped handling any card data, ie. customer websites use sagepay forms and card holder present goes directly to the processing company not to our servers.
    Liverpool FC Forum 11.5 Million posts powered by SMF

  13. #13
    Join Date
    Sep 2012
    Posts
    87
    Quote Originally Posted by Flapadar View Post
    What happened to working in 'consumer protection law and human rights all over the world'?

    And where can I get a job like yours? Sounds nice and diverse changing drastically in a matter of months.
    Last I checked Privacy was a Human Right and also protected by various consumer protection laws...all over the world.

  14. #14
    Join Date
    Sep 2012
    Posts
    87
    This sort of thing is exactly why I asked them the questions I did. They are happy to demand sensitive data from me but they are not happy to answer my questions about their security.

  15. #15
    Join Date
    Jun 2009
    Posts
    1,219
    Quote Originally Posted by Scotty_B View Post
    Really? And they can ignore it because they are a budget provider?

    Good one.

    The op has a valid point, if they are handling card data they should have the required certs. The UK company I work for decided against getting them, we just stopped handling any card data, ie. customer websites use sagepay forms and card holder present goes directly to the processing company not to our servers.
    I would say: Yes. They surely have to follow german privacy and data protection laws, but a PCI certification is - as far as I know - not mandatory and costly. So a budget provider might tend not to get certified to cut down costs.

    However, it is not that I do not understand the OP's point and concern. I would not give sensible data like this to anyone, even if they are certified and look for someone else. Hetzner, by the way, did not ask me to provide such data when I signed up with them.

Similar Threads

  1. Replies: 0
    Last Post: 08-03-2009, 09:52 AM
  2. IP Security Policies
    By daninmanchester in forum Hosting Security and Technology
    Replies: 23
    Last Post: 07-20-2009, 08:55 AM
  3. concerned about Windows VPS security
    By Arv_Reloaded in forum Hosting Security and Technology
    Replies: 2
    Last Post: 07-01-2008, 03:12 PM
  4. Server Matrix - Not Concerned About Security
    By ptn1 in forum Dedicated Server
    Replies: 19
    Last Post: 07-17-2004, 01:26 AM
  5. How to Bypass Security Policies on XP?
    By Mrdredd in forum Web Hosting Lounge
    Replies: 6
    Last Post: 09-07-2003, 11:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •