Carbonite privacy blunder results in spam
Popular online backup service Carbonite has made another privacy misstep.
Computerworld blogger Richi Jennings, a self styled “anti-spam wonk”, has discovered that the fact when he began receiving spam to the dedicated email address he used only for registering for Carbonite’s backup service .
Since the service’s privacy policy states that the company guarantees that the customers’ personal information will not be sold or disclosed to third parties unless mandated to do so in order to comply with law, Jennings considered the possibility that Carbonite’s customer database was breached – especially because the spam he was receiving didn’t come from Carbonite.
Understandably worried, he contacted the company, which responded by saying that an advertiser has misappropriated their email list during the process of one of their email marketing campaigns.
“When Carbonite launches an email marketing campaign, it provides a suppression list to email advertisers so that Carbonite customers do not receive promotion emails from Carbonite (since they’re already customers) and importantly, so that people who have opted out of receiving emails from Carbonite do not receive future email from us. This list was mishandled by an advertiser and we have taken immediate remedial efforts,” the company explained, and added that they will ensure that all customer email addresses are permanently removed from the advertiser’s database.
But, as Jennings points out, this was a completely wrong way to go about the business. “What Carbonite should have done is to scrub the advertiser’s list itself, rather than send our sensitive data to a third party,” he says. “If that wasn’t possible, it should have arranged a way of matching the suppressed addresses using a one-way hash. That would have allowed the advertiser to remove Carbonite customer addresses from the list, without actually disclosing them.”
While not as bad as a breach, this incident should make an impression on Carbonite’s users. But, if their reaction to a a previous incident with lost backups is anything to go by, the company will not be heavily affected.
Unfortunately, most users still hold the belief that losing data or money online is something that happens to others. In this particular instance, the fact that they will be receiving additional spam might not seem like a big deal to many, but the point that I’m trying to make is that companies expect us to trust them with our data, but their guarantees that that data will be safe often prove to be empty words.