Slashdot Mirror
Carbonite Privacy Breach Leads To Spam
richi writes "It looks like Carbonite, Inc. has been giving out customers' personal information. The company has admitted to giving customer email addresses to a third party, in direct contravention of its privacy policy. A company statement reads: 'Carbonite has discovered an advertiser misappropriated our e-mail list during the process of one of our e-mail marketing campaigns. When Carbonite launches an e-mail marketing campaign, it provides a suppression list to e-mail advertisers so that Carbonite customers do not receive promotion emails from Carbonite (since they’re already customers) and importantly, so that people who have opted out of receiving emails from Carbonite do not receive future email from us. This list was mishandled by an advertiser and we have taken immediate remedial efforts. As an online backup company, the security and privacy of our customer data is our top priority. We take all matters related to privacy very seriously. The matter will be addressed privately with the involved third parties and we will ensure that all customer e-mail addresses are permanently removed from their database.'"
"The matter will be addressed privately with the involved third parties". That's not what "privacy policy" means, you know?
The only way to prevent this stuff is to out the culprits who did this. Why would they protect a company that screwed their reputation?
Apparently they forgot the confidentiality part of security, while paying too much attention to integrity and assurance.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Anyone with a domain of their own knows most companies give out personal information either willingly or accidentally.
Sign up with accounts like facebook@yourdomain.com, slashdot@yourdomain.com, twitter@yourdomain.com (to pick a few) and you'll find two thirds of those get spam directly to it.
Sometimes it's days later, sometimes months or years, but its inevitable. Why is this news?
So it's not surprise to me these guys are unprincipled scum.
---Technology will liberate us if it doesn't enslave us first.
If you give your entire customer list to a third party you are just asking for it to be abused. No matter how strict their "policies" may be with respect to handling your data, all it takes is one disgruntled employee to grab a copy on their way out the door and that's the best case. It can only get worse from there.
There is only one way to guarantee that your data is not abused - don't give it to anyone else. All the rules and laws of man will never top the fact that fact you can't copy what you don't have.
FWIW I've seen this happen first-hand. E*Trade farmed their mailings for options trading out to some third party, and they dutifully sent them for six months to me at "etrade@ryel-industries.com" - the address I had on file with E*Trade. I was annoyed enough that E*Trade thought spamming me was a good idea that I remembered it. But a year later I started getting spam from Ameritrade or Schwab or whatever they are called now sent to "etrade@ryel-industries.com" and when I checked the Received: headers it was the same 3rd party as E*Trade had used.
Of course E*Trade couldn't even comprehend what I was talking about when I complained to them. I haven't really done much with my E*Trade account since. They obviously don't really give a damn about my privacy.
When information is power, privacy is freedom.
Carbonite: endorsed by Glenn Beck and Rush Limbaugh. 'Nuff said.
Proverbs 21:19
Just solidifies my opinion that Carbonite is an irresponsible company, and I've been saying this for a while- this is just an example. You think that trusting all the data on your computer to a company who can't even keep your email address or other account information safe is a good idea? Cloud backup is irresponsible to start with. Off-site MANAGED backups are fine, but just throwing all your data out into the ether and expecting it to be safe is asinine. What will it take for people to stop *giving* away their data?
It's irresponsibility like this that keeps me from embracing the cloud like I want to. I don't trust anyone, so I'm actually thinking of building my own personal cloud infrastructure to store my stuff offsite, email, etc.
When Carbonite lost client data, customers had to sue to get reimbursed. It wasn't a free refund. By the time they collected their lawsuit winnings, most of the companies lost too many clients. How long do you think it will take to get back your entitled winnings when your email is given to an advertiser? Less than a decade I am sure. But then again...
People who believe that their "personal information" isn't being sold are just being ignorant. These are probably the same people who believe that ALL the money they deposit is sitting in the vault at the bank.
So, they engaged an outfit of professional spammers, handed them their customer list and were surprised when the spammers did what spammers always do?
That's like buying a shark and shoving your dick in its mouth so that it can learn not to bite off your dick.
If you were blocking sigs, you wouldn't have to read this.
The 3rd party would only ever get the intersection of "do not mail" and their own marketing list. And emails wouldn't be sitting around in clear text in a database / filesystem..
I created a unique email address to use with a company I ordered products from. No one else had that address. A while later I got a phishing email (pointing to http://www.official-2011-skype-upgrade.com/) at that address. The email addressed me by my name as well as the email address ("Joe Blow <uniqueaddress@somedomain.tld>").
Is this conclusive evidence that my private/personal information with the company has been compromised? Maybe they lost control of my credit card and address information as well? Is this worth reporting to the district attorney in their state (NY — they have privacy breach reporting laws).
If you RTFA, you'll quickly realize what Carbonite did was provide a 'do-not-spam' list to, well, a spammer... and then, surprise, surprise, the spammer misues or abuses it.
The list was Carbonite customers AND people who previously clicked the opt-out link in past Carbonite spam... So strictly speaking, this wasn't a straight list of Carbonite customers. Spam might be annoying, but there is a bigger issue here: If you wanted to phish Carbonite logins, you'd have a pretty good start.
Scrubbing the list in-house won't happen... Carbonite doesn't have huge lists, the spammers do. And the spammers are not going to give Carbonite their whole list to scrub, those things are money. So Carbonite has to give an opt-out list to the spammers and trust them not to spam it. Sure...
The article's suggestion of address hashes is kinda bogus, and especially dangerous if the hashed addresses are known to be customers. Assuming a spammer/phisher already has eleventy billion addresses, this is a hash collision attack. All the spammer has to do is hash their list and look for matches. Instant customer list.
You have lost control of it. You can make any claims you want, but if your agreement with users permits you to share the data, you should be legally bound to state that you cannot guarantee privacy. In essence, you have ended your agreement with your users at that point.
Since asking users in advance if you can share their data with a third party is both impractical and likely to cause outrage and refusal, no company is going to do this willingly. So we are back to square one.
If you share user data with a third party, you have lost control. Any claims to privacy are deceptive at best, outright fraudulent at worst.
Even if you claim to compel the third parties to abide by agreements, there is no guarantee unless you own them and/or control the data. That would not be 'giving'.
deleting the extra space after periods so i can stay relevant, yeah.
<insert Han Solo joke here>
There, I did it.
The clear technical way to prevent it would be to give a list of cryptographic hashes to use as the email suppression list, instead of the actual list of customers itself.
Since they did not think of this obvious and simple technical way to preserve privacy, it makes me worry about the rest of their software.
I'm happy my data is backed up with https://spideroak.com/
Personally, If you too stupid or lazy to backup your personal, important, and private data yourself (It's really not that hard), including off location backups -
Then you deserve what you get.. Im suprized they don't try to root through their customers backups and sell that off.
Why in the world would you trust an outside party with your data is beyond me.. Stupid is as stupid does..
Are you kidding me? A marketing company selling "online backup" on the Rush Limbaugh show? This is slashdot worthy? Stay tuned for a metallurgical analysis of the QVC ninja swords...
Asking on /. because I haven't found anything myself yet: Is there any such thing as an online backup service that:
1. Is either EU-based or is a signatory to the EU-US Safe Harbor scheme.
2. Has a reasonably good reputation - and doesn't consider customer data disposable.
3. Appreciates that we don't necessarily have unlimited bandwidth so offers a media-shipping option for data restores.
4. Operates a reseller program.
5. Supports OS X and Windows.
6. Isn't in some sort of crazed rush to the bottom that will ultimately guarantee any reputation they have right now evaporates over the next 18-24 months.
I've looked around and I don't think there's any such thing. Every major company I've found appears to have a bit of a blind spot when it comes to restoring data with any degree of reliability.
please do out the offending company, also do contact the AG
Snowden and Manning are heroes.
information ...
I'm not sure about you, but anyone with half a clue realizes that if they were actually in the business of protecting your data, they wouldn't be giving email addresses to anyone. Whats better is that they give out their ENTIRE FUCKING LIST, and then give another list of 'don't email these guys' ... seriously? How about you just NOT INCLUDE THOSE PEOPLE TO BEGIN WITH?
They are double dipping. Charging for service, then selling your info. And this is a company thats supposed to be backing up ALL of your personal data and keeping it safe?
Anyone who continues to use Carbonite is an idiot, they are not a good company to do business with, just another facebook.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Made from Ham Solo.
Apparently, not so good.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
"we will ensure that all customer e-mail addresses are permanently removed from their database"
Carbonite... what is it they do again? Oh that's right backups....
Interesting that a company who specializes in backup technology mentions having the addresses permenantly removed from the vendor's database... but no mention of it being removed from all of the backups that the vendor might have.
Of course this is after they told their customers that "the security and privacy of our customer data is our top priority."
Clearly this shows that something else has a higher priority...
This isn't quite as bad as most of the comments make it sound. They are using the email addresses of their customers as a suppression file. This is not the same as renting out the names.
They mention two cases:
1. They are sending out an email advertising campaign, and use the file of customer's email addresses to delete customers off the file, so existing customers don't get an email advertising their service. I can understand with the irritation at a company sending unsolicited email, but the suppression of customers isn't a bad thing.
2. They are sending an email to their own customers, but use the list of customers that requested no emails be sent to prune those names out of the file. That is certainly a good thing.
Both of those tasks can't be done by a vendor without providing a list of email addresses, and this is nearly always done by an outside vendor. The problem is the email vendor broke the privacy agreement, or somebody stole the names, or whatever. How can they honor a request to not email a certain customer without matching that customer's email up against their mail file?
so carbonite gave the 3rd party a blacklist of email addresses who had opted out...
why not only provide a whitelist of email addresses who had opted in? security through obscurity, anyone?
insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
My question is, where does Carbonite get their marketing list of emails? Are they sucking down all the email of their customers and puling email addresses out of their backed up documents? To me this seems like an obvious possibility - they simply grep all the documents they have for valid email addresses and send it away to the spammers they have contracted.
Then a day later you get an email saying "Wouldn't you love to become protected like your pal bob@super.com? His data is backed up, why isn't yours?"
Your data is only as secure as your backup service provider. Make sure your data is encrypted fromt he second it leaves your possession. Check Dynamic Vault Dynamic Vault. They offer encrypted remote backup with multiple key, full turn-key DR services and even offer the option for them not to know the key (you're on your own if you lose it).
Since I don't use Carbonite. I have my own form of Carbonite, it's called an external HDD and CD-R's. :) Also, unless I absolutely must, I don't give out my personal info to sites that ask for it, or I make some up. Very few things out there on the internet that I deal with on a regular basis actually know ME.
I don't look at this as lying, I look at this as "you don't have a need to know". My personal information is patented, copyright, trade and service marked - ME. Also, it's classified. I could tell you, but... you know the rest. :^)
They use spamvertisers.. and you expect them to respect privacy.
A word of warning.
I used to use [companyname]@mydomain.com for everything I signed up for. It worked great for a long time. The only downside was having to use a catchall address, but not a huge deal.
Unfortnately what will eventually happen is someone will troll through whois records or just grab random domains from existing mailing lists, and start sending out spam from random strings of letters/words @ that domain..
The trick is to not use a catchall. Setup a redirection for every address in use. Anything not defined should bounce. With Sendmail this means a virtuser entry for each address. Admittedly, this is not as convenient as a catchall but it does provide immunity from dictionary attacks like you describe. Long on my to-do list (but never actually done) is to create a script to check From: and Reply-To: on all outgoing mail and automatically add new addresses to virtusers if they are not already present.
It is even possible to retrofit this method if you have previously been using a catchall, as I did. All it takes is basic shell text processing and access to all the old mail. If anyone hasn't sent me any email is, say, three years then they probably are never going to.
I don't think so. I think they paid the spammer to spam his list with their ad and gave him their customer list so that he would delete those addresses from his list and so not spam them.
Not selling your info. Hiring a spammer and then giving him your address expecting him to use it only for the intended purpose of washing his list. Incompetent bunglers: a typical Web business.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
It would seem that they only paid attention to "assurance" to me. Integrity would be any number of things they didn't do. Like... when we said in our privacy policy we're not giving your information out, we ... actually don't give your information out. That might confer a bit of integrity on their actions. Saying you won't share information only to then share that information with the condition "Don't talk to these people.. we promised not to show you what we're showing you" has somewhat less of an integrity rating.
David Friend, the CEO of Carbonite, has commented on this event. Interestingly, his take on what happened differs from what was posted in the linked article from CW. According to Mr. Friend, they use an email forwarding agency/company for communications to their customers. He claims that this company misappropriated their customer email list for their own purposes. I'm not sure who I trust less; the CEO of the company that had the problem or the CW author who is apparently afraid no one else would find his article noteworthy so he posted it himself.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
That's the intended usage of the list of hashes: for each address that the marketer already has, they can determine whether it's the address of an existing customer so they can exclude it from the ad campaign. No technological measures can avoid the fact that if you want an advertiser to exclude your customers from an ad campaign, you have to give them a way to determine who your customers are. Only trust (and trustworthiness) can resolve that.
But hashing the list would at least prevent the marketer from learning new addresses that they didn't already know about, so it's better than giving them the raw list.
I wrote them last week and told them that the email account I set up specifically for their company was getting spammed, and that their customer email list must have been compromised. They wrote back the following:
Great, they didn't sell it, they gave it away free to untrustworthy dirtbags. Makes me feel much better to know that the company I'm entrusting with my backups doesn't bother to vet its business associates. I'm moving to crashplan.
I create unique email addresses for every company I do business with. A surprising number (I estimate @ 15%) end up getting spammed. In every case I write to the company and let them know that their email database has somehow been compromised. I have yet to get a reply to even one of those emails. That tells me that either it was deliberate or they don't give a crap. I'd say go ahead and refer your case to whatever law enforcement agency you think appropriate, but don't expect much.
Besides violating their own privacy policy by giving their E-Mail address list TO SPAMMERS, they also admit in this message that they knowingly deal with spammers, and are willing to spam EVERYBODY ELSE ON THE PLANET (excluding existing customers.) This alone is enough for me to not want to every do business with them.
I had no idea who they were. So I searched on google. Once you get past their advertisments it's ONLY bad stuff. Like their Unlimited being 100G or less: https://nickstarr.wordpress.com/2006/06/29/carbonite-when-unlimited-is-limited/
Or how about Wikipedia? https://en.wikipedia.org/wiki/Carbonite_%28online_backup%29#Amazon_review_controversy
The "cloud" hides those pesky & boring details of where your data is stored, and how it is backed up, and who has access. Super convenient!
Oh, and your identity is just a bit more data whose location(s), access, and use are all hidden from you. Super convenient!
Love the cloud.
I am so glad I recommended Crashplan instead of Carbonite to my Mom. I got Crashplan too.
The good thing about Crashplan being that it also gives you a free client to duplicate backup to a hard disk you have networked somewhere or a friend's computer. Oh and they are "unlimited backup".
From what I can tell of their character, I doubt Crashplan would ever, ever do what Carbonite did.
I'm impressed by your approach to protecting your email address. How do you track the alias to the form you filled out? Great idea for a privacy protecting app right there! Craig www.newtechobserver.com
I'm in contact with the company. We'll see how they want to proceed.
I am still going to report the incident. The NY AG is sending a complaint form for me to fill out. I had tried the DA, but I guess that's the wrong organization — they kept basically ignoring me.
Only provide a list of HASHES of email addresses you don't want to send to. And don't store a list of addresses to suppress yourself. Store a list of hashes. It is the only way to guarantee those people will never be emailed again. I've worked with companies who had emailing operations for their customers and on at least two occasions they accidentally emailed the "do not email" list. Had they been only storing hashes this would have been impossible.