UPDATE: Additional Information On $5,700 Bandwidth Overage Story

Last week, we brought you the story of Mick, whose dedicated server was compromised and he was hit with $5700 in bandwidth charges. Many readers, especially those working in the field, had questions about the particulars of his plan and contract with the Web host. The company, Servepath, contacted us with those details, as well as some crucial background information.

For starters, Mick is a former consultant of ServePath who was receiving a free service from us during his employment here and after. He was given a free server with the agreement that he would pay for any bandwidth. He was not paying for managed server hosting. His server was essentially, by agreement, unmanaged by us and managed by him.

Checking his LinkedIn profile shows this. [Link redacted, but it does. -Ed.]

That being said, our Terms of Service clearly state: “ServePath has no obligation to monitor the Service for AUP violations or for other illegal or improper conduct” and

“Customer is responsible for maintaining security and for maintaining patches and disaster recovery systems, except to the extent ServePath specifically accepts such responsibility by listing such service features in Customer’s Signup”.

We did offer a number of various remedies to correct the issue. Also, no payment for charges incurred had been made since November 2008 on this account.

Lastly, we have settled the account with him this afternoon.

I hope that you can post an update to your article that says that we made best business efforts to resolve this with him over a period of time, and, coupled with the fact that he was receiving the server (unmanaged by us) for free, and ex-consultant of ours and responsible for the bandwidth charges that were incurred, that the full story had not been revealed.

So the bandwidth situation has been resolved, Consumerist didn’t have all the facts in our initial post, and keep an eye on your servers if you don’t want this to happen to you.


Edit Your Comment

  1. Nick1693 says:

    I know that it was in their ToS, but I still think they should contact him (or any of their customers, really) if their bill is $5,700 and they don’t usually have a bill that high. Same with AT&T and the guy who downloaded Wall·E.

    • snazz says:

      @Nick1693: if the usage happens quickly, they might not have a system in place for analyzing what constitues bizarre use and then notifying a customer. especially in the wall-e case. it happens so fast. nor should it be their responsibility to monitor someone’s use and notify them of oddities.

      • SarcasticDwarf says:

        @snazz: Fair enough, but then they should not complain when they get a lot of bad press every time something like this happens (and with hosting companies it is a DAILY occurrence). If you could log into your account management interface and set an alert or stop order if usage/fees/whatever reached a certain point then I would have a lot more sympathy for the companies.

        • Sean Masters says:

          @SarcasticDwarf: Why?

          The customer was clearly in the wrong here, as he obviously had the full extent of the setup handed to him right up-front.

          I agree with Consumerist’s rule of “don’t blame the consumer” about 99.9% of the time. This is absolutely not one of those times. “Unmanaged” means you are responsible, period.

          Would alerts are a nice-to-have? Sure, but whether they are available or not should not change how you feel about the hosting firm, because from start to finish an unmanaged server is your responsibility.

          • SarcasticDwarf says:

            @Sean Masters: Why? For the reasons stated in the post you replied to. I am not saying that the guy bears no responsibility, but what would happen if the bandwidth charge was 100,000 or $1,000,000? Would you expect him to pay it? At a certain point it is stupidity on the part of the company NOT to do it. Heck, your credit card is YOUR responsibility, yet nobody expects to pay for fraudulent charges. The idea applies to every industry BUT the hosting industry it seems.

            • Sean Masters says:

              @SarcasticDwarf: please explain how bandwidth usage charges, when clearly defined, are in any way fraudulent.

              I would absolutely expect a customer to pay overage charges. Same goes with cell phones – if you’ve got clearly defined limitations and overage charges, etc., then you have absolutely no excuse.

              • Trey Mahaffey says:

                @Sean Masters: there are always numerous ways to make excuses… that is why we have so many lawyers here in America!

                a good attorney could either get the charge reduced or eliminated… if there is a will there is a way. (so long as will has a lot of money)

              • godai says:

                @Sean Masters: I clone your cell phone’s sim card while you are in the bathroom then run up your cell phone bill.

                Perhaps unauthorized might be a better term then fraudulent.

                • Sean Masters says:

                  @godai: ah right, that is absolutely a factor in this story. Still, that is really the customer’s issue, in that the customer should be going after the person (through lawful means) who racked up the unauthorized bandwidth usage.

                  The hosting company “forgiving” the charge might be nice, but it is in no way required, nor would it be a smart business move, imo, as it might lead to greater expectations and higher overhead, therefore leading to higher prices for all customers.

              • j-o-h-n says:

                @Sean Masters: What if somebody managed to hack your phone to, say, send out a zillion text message spams? Would you feel responsible for those charges (assuming you don’t have an unlimited text plan, which I certainly don’t)?

                • Dalzig says:

                  @j-o-h-n: The difference is that a cell phone is an end-user device. The person who purchases a cell phone has no expectation to have to prevent people from cracking your phone. Protecting the physical entity phone, however, is in the hands of the end-user.

                  A server, especially unmanaged by the host, puts all responsibility on the server administrator. If you fail to implement that important security patch or anti-DDOS measure, you are leaving yourself liable for all charges incurred.

        • Thermopyle says:


          When you have a dedicated server, there aren’t panels and stuff like that. As the administrator with the server, YOU, set up a system to alert you if you’re approaching your bandwidth limit.

          • bohemian says:

            @Thermopyle: Very correct. But a server farm is going to have some sort of warning system on their side if something suddenly sucks down almost all of their bandwidth. That is a protection on their side to make sure there is enough bandwidth available to the other servers.
            It is the guy who had the server’s responsibility to keep it properly secured. The hosting company is trying to CYA their behinds on who is responsible for what and that is understandable. BUT, to sit on their hands while someone racks up a $5700 bill and not even bother to go look at the traffic is a bit irresponsible.

            It would be in a hosting companies best interest to not have people incur bills they can’t pay. At some point the costs go beyond what someone is able to pay and you will never see all of it.

            • Sean Masters says:

              @bohemian: the host is covering their rear by NOT involving themselves, really. They tell you that you are responsible for traffic and overages and then stay hands-off, because if they get involved it could be argued “they should have done something”.

            • CmdX says:

              @bohemian: a host might or might not have a ‘warning system’, but it would take a REALLY big spike for the average dedicated-server host to take notice and that is only because it is probably a Distributed Denial of Service attack (someone is sending/requesting so much data from so many ‘hijacked’ computers that it slams the server/network.) If your host has problems providing other customers their base bandwidth because your server is spiking in traffic you need to find a new host.

              A host is under no obligation to monitor the customer’s un-managed equipment. A good host will offer some sort of web-based control panel/billing software that will let YOU watch it, but you have to be diligent and responsible.

              Also, in many of these cases it is just the host passing down the bill to the customer. Overage fees aren’t just free money for the ‘greedy’ hosting provider.

          • SarcasticDwarf says:

            @Thermopyle: Correct, but usage is tracked on a server and account basis by the company, so they can still do it. As one poster put below “It would be in a hosting companies best interest to not have people incur bills they can’t pay. At some point the costs go beyond what someone is able to pay and you will never see all of it.”

            • Nick1693 says:

              @SarcasticDwarf: If usage is tracked on a server, then I’m sure you can easily make it email a warning to the customer. I’m also mostly sure that if a customer were told they were racking up a huge bill, they’d have a bit more trust in the company.

      • bohemian says:

        @snazz: In the Wall-e situation some sort of process in the system could have been in place if someone did a combination of things it provided them with a popup message or screen block. IE: if your using a connection that has high fees, like a ship’s wifi and either after a certain about of download or just an up front. “Hey stupid your on a really expensive connection, do you want to continue?”

    • Bailen says:

      @Nick1693: By just browsing around there site they have server packages that are up to $1200 per month, and they state that their overusage fee on bandwidth is $2 per GB, making the overage by the OP approx 2800GB. Taking into account that their plans seem to include 1500-4000GB per month of transfer I dont htink they would notice any kind of spike whatsoever in their bandwidth logs or any performance hit to any other user whatsoever. That would be like you using an extra 300 minutes on your cell phone during the month when you only get 100 to begin with. not really noteworthy to your cell company. Another note is that he is getting the server for free and just paying for bandwidth, so its definitely his responsibility to monitor it. For a spike in bandwidth to trigger on their system i would imagine it would need to be in the 15-20000GB range.

      Another point that has been stated above, this was an unmanaged server, basically a box the OP owns with an IP address. There would be no server admin console, just his billing info that they provide, with a bandwidth monitor i might add. Any warnings you would setup yourself on your server, or even an auto lockout if bandwidth exceeds x amount.

      Third point is that he had not paid his bill in six months, perhaps this 5700 included his previous bills as well.

    • Oranges w/ Cheese says:

      @Nick1693: As a recent employee of AT&T, I can honestly say that in my brief experience it does appear that store reps do a pretty poor job of letting customers know about data usage charges. I’ve had no less than 20 customers (in a WEEK) tell me they were never informed that X service uses the data on their phone. Of course I am certain that most representatives would assume the customer *knows* that downloading a ringtone or downloading – note the stress, its kind of obvious, isn’t it? – a picture is going to use your data (and if you aren’t signed up for a data plan its going to cost you). And I also agree that there should be some sort of block in place to avoid amazingly huge overage charges on both minutes and data from day 1 of the account being open.

      However, that isn’t how they do business and we do make every effort to advise customers of their self-service options so they can keep tabs on their usage just for this very reason. Doesn’t mean that some of them aren’t idiots and don’t pay attention.

  2. bornonbord says:

    Sounds like there was a beef.

    Really glad you updated this. It’s unfortunate that some people will blow personal issues out of proportion in order to get some attention for their own f*** up.

    • wgrune says:


      Yeah, like not paying his bill for 6 months.

      • bohemian says:

        @wgrune: They also didn’t mention how much his bills were each month between now and November. If he had miniscule bills of say $2.50 a month some places will have you wait to pay them until it is over a certain amount of money.

  3. Cant_stop_the_rock says:

    This is exactly why you should make some effort to get the other side of the story BEFORE posting stuff that damages a company’s reputation.

  4. WiglyWorm must cease and decist says:

    a) It’s too bad people can use consumerist as a vehicle to badmouth companies they have an agenda against even when the facts are not on their side.

    b) It’s too bad consumerist doesn’t support animated gifs as avatars.

    • Thermopyle says:


      It’s also too bad the consumerist didn’t wait for a reply on their request for comment (I’m SURE you guys requested a comment, right?) to the hosting company.

      • royceguy says:

        @Thermopyle: While every story should be researched for accuracy and legitimacy, I’d hate to see Consumerist make ‘waiting for a reply on the request to comment’ a standard procedure. Not only does could this kill the timeliness of posts, but could be used by companies in the wrong to stall a negative post or to preemptively lie. On the contrary, printing a follow up article like this is just as effective at making the original “victim” look like that much more of a tool for leaving relevant details out of their account.

        Besides, whether or not a person ACTUALLY did anything wrong never seems to be a consideration for them when companies overbill, raise prices or attempt to take advantage of a situation or monopoly. Just sayin’….

  5. ospreyguy says:

    Sounds like I would have a collection on my credit…

  6. Mr_Human says:

    I sometimes wonder if Consumerist should take their stories to the next level and contact companies that are being complained about for their side of the story. It would raise credibility.

    • Mr_D says:

      @Mr_Human: I don’t think that’s necessary. What would be nice is an automated or semi-automated method for companies to respond to a story – writing these full stories after the fact seems like a lot of work.

      When a company has to go out of their way to respond to allegations and they do so, that at least says something. This is still a consumer advocate site, not a consumer issue moderation serivice, and I don’t think it’s odd to side with the consumer by default.

    • Gramin says:


      I agree with Mr_D. This isn’t the WSJ or NYT. Furthermore, most companies do not and cannot discuss the details of their clients’ accounts. There would be hell to pay if Verizon posted the details of my account, regardless of whether or not I complained about them to Consumerist.

      • RvLeshrac says:


        Legally, once you’ve put the details in the open, I don’t think they’re going to be liable for restating those same details. If the company editorializes, they may be guilty of slander or libel, but I see no legal reason for them to be unable to defend themselves against slanderous or libelous accusations.

    • coren says:

      @Mr_Human: I know that at least, some of the time, they do just that.

    • stopNgoBeau says:

      @Mr_Human: Nah, because then they would be a news source, and not just bloggers.

    • xredgambit says:

      @Mr_Human: I personally think go for as much detail the consumer can give, if they have a reasonable source in the company to ask them for some info, then post. I doubt that the consumerist can get any further with normal csr’s or any info from the company on an open case.
      If they have the reasonable contact then contact the company before posting. I’m sure the consumerist has a reasonable contact in Woot or Newegg or Zappos or any companies that normally provide great customer service.
      But for things like comcast or time warner or verizon, they may have a contact but such a large company they may not be able to get any details.

    • trujunglist says:


      Half of the stories are about people trying to contact the company and receiving no response. Consumerist would have to EECB the company themselves just to get an answer. It’s not up to Consumerist to play policeman and get answers out of these companies – that’s their own job – they just report a story from the consumers side. If the company feels they’ve been wronged, they can contact Consumerist at that point and get their side of the story out. The majority of the time the company is the one that screwed up so it’s better to assume that the consumer is right than to assume that the company is right because odds are going in that direction.

  7. GC says:

    Sounds like some script kiddy got into his box and racked up a nice and huge bandwidth bill.

  8. digitalgimpus says:

    The key lesson here is really _managed_ vs. _unmanaged_.

    That said, most customers don’t know the difference. They just see the unmanaged is cheaper and go with it. Just be aware of what you buy.

    It’s kinda like “some assembly required”. If you don’t know how to follow directions, but it assembled.

    • bohemian says:

      @digitalgimpus: Maybe have customers provide some sort of proof they know what they are doing before being allowed to buy the unmanaged option. I am sure they get someone who buys unmanaged because it is cheaper and then floods tech support with 101 question because they don’t know what they are doing.

    • Gramin says:


      This could be a key lesson for a normal consumer. However, “Mick is a former consultant.” Something tells me he knew the difference. Furthermore, I don’t think “normal” or “average” people are buying servers. The Average Joe has no need for one. If you’re purchasing a server, you probably know what unmanaged includes.

  9. Benjamin M Martin says:

    I know how many businesses can’t comment directly on particular customers’ accounts. But does this apply here?

    Can the hosting company just air the dirty laundry of the case out in the open like that?

    Just a thought, anyway…

  10. coren says:

    I’m curious as to how the situation was resolved – it might effect my decision as to whether to work with them in the future or not

  11. guspaz says:

    People seem to be missing a bit part of the original complaint; ServePath was charging him per-gig overage fees and refusing to drop the costs down to the closest pre-paid plan (~$1100ish if memory serves).

    ServePath was under absolutely no obligation to do so, but helping a customer out of a bind in such a manner is rarely something a company is obligated to do, merely something that they SHOULD do.

    • Sean Masters says:

      @guspaz: fair question here – would you, as a business-owner, take a $4000 hit to make a non-paying customer happy?

      Remember: in the end, ServePath still has to pay the bandwidth charges to their service provider.

      • guspaz says:

        @Sean Masters: Who said anything about a hit? There’s an incredible markup here. Bandwidth costs range from as low as $4 per megabit to perhaps $10-15 for higher quality bandwidth in large quantities (which hosts get).

        When you have a large network, bandwidth usage can become quite averaged, but let’s take into account peak demand by doubling the amount of bandwidth required over the average, or an effective $30 per megabit. This may be more expensive than actual costs due to 95th percentile billing and large companies averaging bandwidth use over thousands of customers, flattening the demand curve.

        4500GB of bandwidth (ignoring what part is overage and what part was included with the original plan) would then cost $450. So the company wanted a ~1000% markup. Sure, they’re within their rights, but if a customer can’t afford such a huge bill, would you, as a company, rather make $500 by reducing the charge, or $0 when the customer can’t pay?

        FYI, larger providers can push the cost of high quality bandwidth from a company like Peer1 *WAY* below $10-15 per megabit. My broadband ISP has said it costs them about $0.03 CAD per gig, which would result in a cost of $135 for the 4500GB. The ISP charges $0.10 for extra bandwidth ($450/mth), a fraction the cost of Servepath’s overages.

        It’s an annoying fact of life when it comes to hosting. The vast majority of companies gouge on overages due to high degrees of overselling. This means that your bandwidth costs go up by an order of magnitude or two when you use up your included allotment. Some providers, though, have reasonable overage fees.

    • suzy-q says:

      @guspaz: The statement from the company doesn’t necessarily say that they didn’t do just that…just that they settled the account. To me, “settling” implies that he did get some discount from the rate he was initially charged.

    • cluberti says:

      @guspaz: Unfortunately, this happens. However, as the customer of an unmanaged server, it’s up to the customer to provide security and manage the bandwidth usage of the server. That’s the risk you take with a cheaper unmanaged box, and those are the rules of the game.

      Don’t complain about them when it comes back to bite you, as this is likely always clearly spelled out in the contract you sign when you acquire the service (I’ve never seen a contract for unmanaged service that didn’t spell this out, but I’ve not seen every contract, so I say “likely” just in case).

      • There's room to move as a fry cook says:

        @cluberti: I see no reason why a webhost can’t monitor bandwidth overages on unmanaged servers. They certainly monitor it so they can bill you. Unmanaged refers to support not to bandwidth – the contract has a bandwidth cap and a charge if you go over. Certainly the host should mitigate it’s damages and it’s liability to its upstream provider if a client suddenly grossly exceeds his contract.

        BTW: it’s “data transfer” NOT “bandwidth”.

  12. tedyc03 says:

    Reading the original story and the explanation, it does sound like the customer’s fault.

    When the box is unmanaged it’s your job to set up a paging system and monitoring software to watch usage. We do that at work and everyone who manages a box should be doing that. Managing a box isn’t the same as letting it just run all day.

    I don’t see a reason for them to be forgiving in this case. They seem to have bent over backwards.

  13. pmcpa4 says:

    I applaud the Consumerist here for the follow up, though it would have been nice to have both sides to begin with. The OP was wrong. People need to realize that unmanaged servers are just that, the Hosting company doesn’t monitor them, and can’t. It is up to the customer to do that. If you want an alarm to go off…. buy a managed plain!

    On a side note, it seems that the more and more stories that the Consumerist checks with both sides, it looks like a majority of them the OP is in the wrong, or at least has left out a major chunk of the story.

  14. Project_J187 says:

    I find it a little pathetic that Mick left those details out of his initial email. Those are certainly details that matter and Mick should have certainly known that (at least the “I get a server for free”).

    At any rate I am glad the issue was resolved and now hope that Mick’s account has been terminated and he has to go through proper channels to get a server (after all, he wants all the customer service like a real customer so he should have to pay for it)

  15. EdnaLegume says:

    even my evil credit card company contacts me about unusually large purchases. and they soooo want it to be legit.

  16. calchip says:

    I’m sorry, but this is simply PR spin on the part of Servepath designed to make them appear to be less greedy and gouging than they actually are.

    There is no POSSIBLE way that 4000 gigs of bandwidth should cost $5700 or anything remotely close to that price, whether the server was being provided for “free” or whatever. More than a buck a gig for transfer in 2009, even at overage rates, is simply gouging. Topnotch bandwidth is available for 5 to 10 cents a gig, and even at overage rates of 3x the going rate, we’re talking 30 cents, not $1.30.

    Secondly, even the “discounted rate” of $1200 a month for 5,000 gigs (or whatever it was) is one of the biggest ripoffs I have ever heard, particularly if this is for “unmanaged” servers. The topnotch ISP we use, with exceptional fully managed support, and tier 1 bandwidth, charges us considerably less than half of Servepath’s rate for more than four times the bandwidth. This is nothing short of the most gross, outrageous gouging.

    Third, if these folks aren’t monitoring their bandwidth then they’re either incompetent, lazy, or intentionally choosing not to for the purpose of gouging customers on overages. Every high-end router found in a data center can be configured to monitor and shape traffic, and send alert messages when bandwidth goes above a certain threshold. Further, every data center operator I know has a network admin team that specifically looks for this sort of unusual activity, because it can sometimes signal a breach, which can mean phishing, child porn, or other illegal content finding its way onto the servers, for which the ISP could potentially have liability.

    I’m sorry, but this looks like a major PR whitewash job to me. And the fact that the OP “settled” with Servepath today indicates that they probably offered him a very cheap rate to settle, in exchange for him shutting up and the hope that the whole thing goes away so Servepath’s other customers don’t realize how badly they are being gouged.

    I hope that this thread DOESN’T die and that more people get the word on how badly this place is gouging.

    • henwy says:

      It’s not gouging if you’re not forced to use their service. If you don’t like the rate plan, then don’t fucking buy the service. If you do, then you take responsibility for it and you pay your damn bills. You certainly don’t go whining about something that was your fault, trying to shift blame onto others.

  17. physics2010 says:

    So did the redacted link say how much bandwidth $5700 buys you?