Slashdot Mirror
Carbonite Privacy Breach Leads To Spam
richi writes "It looks like Carbonite, Inc. has been giving out customers' personal information. The company has admitted to giving customer email addresses to a third party, in direct contravention of its privacy policy. A company statement reads: 'Carbonite has discovered an advertiser misappropriated our e-mail list during the process of one of our e-mail marketing campaigns. When Carbonite launches an e-mail marketing campaign, it provides a suppression list to e-mail advertisers so that Carbonite customers do not receive promotion emails from Carbonite (since they’re already customers) and importantly, so that people who have opted out of receiving emails from Carbonite do not receive future email from us. This list was mishandled by an advertiser and we have taken immediate remedial efforts. As an online backup company, the security and privacy of our customer data is our top priority. We take all matters related to privacy very seriously. The matter will be addressed privately with the involved third parties and we will ensure that all customer e-mail addresses are permanently removed from their database.'"
"The matter will be addressed privately with the involved third parties". That's not what "privacy policy" means, you know?
The only way to prevent this stuff is to out the culprits who did this. Why would they protect a company that screwed their reputation?
Apparently they forgot the confidentiality part of security, while paying too much attention to integrity and assurance.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Anyone with a domain of their own knows most companies give out personal information either willingly or accidentally.
Sign up with accounts like facebook@yourdomain.com, slashdot@yourdomain.com, twitter@yourdomain.com (to pick a few) and you'll find two thirds of those get spam directly to it.
Sometimes it's days later, sometimes months or years, but its inevitable. Why is this news?
If you give your entire customer list to a third party you are just asking for it to be abused. No matter how strict their "policies" may be with respect to handling your data, all it takes is one disgruntled employee to grab a copy on their way out the door and that's the best case. It can only get worse from there.
There is only one way to guarantee that your data is not abused - don't give it to anyone else. All the rules and laws of man will never top the fact that fact you can't copy what you don't have.
FWIW I've seen this happen first-hand. E*Trade farmed their mailings for options trading out to some third party, and they dutifully sent them for six months to me at "etrade@ryel-industries.com" - the address I had on file with E*Trade. I was annoyed enough that E*Trade thought spamming me was a good idea that I remembered it. But a year later I started getting spam from Ameritrade or Schwab or whatever they are called now sent to "etrade@ryel-industries.com" and when I checked the Received: headers it was the same 3rd party as E*Trade had used.
Of course E*Trade couldn't even comprehend what I was talking about when I complained to them. I haven't really done much with my E*Trade account since. They obviously don't really give a damn about my privacy.
When information is power, privacy is freedom.
Carbonite: endorsed by Glenn Beck and Rush Limbaugh. 'Nuff said.
Proverbs 21:19
Just solidifies my opinion that Carbonite is an irresponsible company, and I've been saying this for a while- this is just an example. You think that trusting all the data on your computer to a company who can't even keep your email address or other account information safe is a good idea? Cloud backup is irresponsible to start with. Off-site MANAGED backups are fine, but just throwing all your data out into the ether and expecting it to be safe is asinine. What will it take for people to stop *giving* away their data?
It's irresponsibility like this that keeps me from embracing the cloud like I want to. I don't trust anyone, so I'm actually thinking of building my own personal cloud infrastructure to store my stuff offsite, email, etc.
People who believe that their "personal information" isn't being sold are just being ignorant. These are probably the same people who believe that ALL the money they deposit is sitting in the vault at the bank.
So, they engaged an outfit of professional spammers, handed them their customer list and were surprised when the spammers did what spammers always do?
That's like buying a shark and shoving your dick in its mouth so that it can learn not to bite off your dick.
If you were blocking sigs, you wouldn't have to read this.
The 3rd party would only ever get the intersection of "do not mail" and their own marketing list. And emails wouldn't be sitting around in clear text in a database / filesystem..
I created a unique email address to use with a company I ordered products from. No one else had that address. A while later I got a phishing email (pointing to http://www.official-2011-skype-upgrade.com/) at that address. The email addressed me by my name as well as the email address ("Joe Blow <uniqueaddress@somedomain.tld>").
Is this conclusive evidence that my private/personal information with the company has been compromised? Maybe they lost control of my credit card and address information as well? Is this worth reporting to the district attorney in their state (NY — they have privacy breach reporting laws).
If you RTFA, you'll quickly realize what Carbonite did was provide a 'do-not-spam' list to, well, a spammer... and then, surprise, surprise, the spammer misues or abuses it.
The list was Carbonite customers AND people who previously clicked the opt-out link in past Carbonite spam... So strictly speaking, this wasn't a straight list of Carbonite customers. Spam might be annoying, but there is a bigger issue here: If you wanted to phish Carbonite logins, you'd have a pretty good start.
Scrubbing the list in-house won't happen... Carbonite doesn't have huge lists, the spammers do. And the spammers are not going to give Carbonite their whole list to scrub, those things are money. So Carbonite has to give an opt-out list to the spammers and trust them not to spam it. Sure...
The article's suggestion of address hashes is kinda bogus, and especially dangerous if the hashed addresses are known to be customers. Assuming a spammer/phisher already has eleventy billion addresses, this is a hash collision attack. All the spammer has to do is hash their list and look for matches. Instant customer list.
You have lost control of it. You can make any claims you want, but if your agreement with users permits you to share the data, you should be legally bound to state that you cannot guarantee privacy. In essence, you have ended your agreement with your users at that point.
Since asking users in advance if you can share their data with a third party is both impractical and likely to cause outrage and refusal, no company is going to do this willingly. So we are back to square one.
If you share user data with a third party, you have lost control. Any claims to privacy are deceptive at best, outright fraudulent at worst.
Even if you claim to compel the third parties to abide by agreements, there is no guarantee unless you own them and/or control the data. That would not be 'giving'.
deleting the extra space after periods so i can stay relevant, yeah.
<insert Han Solo joke here>
There, I did it.
The clear technical way to prevent it would be to give a list of cryptographic hashes to use as the email suppression list, instead of the actual list of customers itself.
Since they did not think of this obvious and simple technical way to preserve privacy, it makes me worry about the rest of their software.
I'm happy my data is backed up with https://spideroak.com/
Personally, If you too stupid or lazy to backup your personal, important, and private data yourself (It's really not that hard), including off location backups -
Then you deserve what you get.. Im suprized they don't try to root through their customers backups and sell that off.
Why in the world would you trust an outside party with your data is beyond me.. Stupid is as stupid does..
Are you kidding me? A marketing company selling "online backup" on the Rush Limbaugh show? This is slashdot worthy? Stay tuned for a metallurgical analysis of the QVC ninja swords...
Politics has nothing to do with it. Where a company chooses to spend their money is something that I consider where to spend my money. I would never use Carbonite because they fund these insane radio shows. If everybody cared where they spent their money, crazies like Beck and Limbaugh wouldn't have any advertisers at all.
I don't respond to AC's.
Asking on /. because I haven't found anything myself yet: Is there any such thing as an online backup service that:
1. Is either EU-based or is a signatory to the EU-US Safe Harbor scheme.
2. Has a reasonably good reputation - and doesn't consider customer data disposable.
3. Appreciates that we don't necessarily have unlimited bandwidth so offers a media-shipping option for data restores.
4. Operates a reseller program.
5. Supports OS X and Windows.
6. Isn't in some sort of crazed rush to the bottom that will ultimately guarantee any reputation they have right now evaporates over the next 18-24 months.
I've looked around and I don't think there's any such thing. Every major company I've found appears to have a bit of a blind spot when it comes to restoring data with any degree of reliability.
...yeah, if you ignore that whole being hugely popular thing.
I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
please do out the offending company, also do contact the AG
Snowden and Manning are heroes.
information ...
I'm not sure about you, but anyone with half a clue realizes that if they were actually in the business of protecting your data, they wouldn't be giving email addresses to anyone. Whats better is that they give out their ENTIRE FUCKING LIST, and then give another list of 'don't email these guys' ... seriously? How about you just NOT INCLUDE THOSE PEOPLE TO BEGIN WITH?
They are double dipping. Charging for service, then selling your info. And this is a company thats supposed to be backing up ALL of your personal data and keeping it safe?
Anyone who continues to use Carbonite is an idiot, they are not a good company to do business with, just another facebook.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
So you'd rather give your money to Mozy, that just raised their rates for average users (500GB) by 5x or so?
I'd honestly been thinking about switching to Carbonite before this fiasco... their imagined politics had nothing to do with it.
Besides, Glen Beck fulfills a necessary niche in our world, just like Mother Jones and Keith Olbermann on the left. It's actually a very good thing to have a diversity of viewpoints available. Having the media all talking with one voice would gatekeeper out a lot of alternative viewpoints.
I read both sides, and even engage in a bit of science literacy outreach for the noggins on The Blaze.
Apparently, not so good.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
This isn't quite as bad as most of the comments make it sound. They are using the email addresses of their customers as a suppression file. This is not the same as renting out the names.
They mention two cases:
1. They are sending out an email advertising campaign, and use the file of customer's email addresses to delete customers off the file, so existing customers don't get an email advertising their service. I can understand with the irritation at a company sending unsolicited email, but the suppression of customers isn't a bad thing.
2. They are sending an email to their own customers, but use the list of customers that requested no emails be sent to prune those names out of the file. That is certainly a good thing.
Both of those tasks can't be done by a vendor without providing a list of email addresses, and this is nearly always done by an outside vendor. The problem is the email vendor broke the privacy agreement, or somebody stole the names, or whatever. How can they honor a request to not email a certain customer without matching that customer's email up against their mail file?
My question is, where does Carbonite get their marketing list of emails? Are they sucking down all the email of their customers and puling email addresses out of their backed up documents? To me this seems like an obvious possibility - they simply grep all the documents they have for valid email addresses and send it away to the spammers they have contracted.
Then a day later you get an email saying "Wouldn't you love to become protected like your pal bob@super.com? His data is backed up, why isn't yours?"
Your data is only as secure as your backup service provider. Make sure your data is encrypted fromt he second it leaves your possession. Check Dynamic Vault Dynamic Vault. They offer encrypted remote backup with multiple key, full turn-key DR services and even offer the option for them not to know the key (you're on your own if you lose it).
Agreed about the diversity of viewpoints. We need more free speech, not less. As for backups, I'd recommend CrashPlan. Mozy's backup and restore software sucked worse than an industrial vacuum. Losing a bunch of my data from a restore failure and their rates soaring was the last straw for me. Carbonite was better, but it sucked up too much CPU and bandwidth and couldn't be configured otherwise. Crashplan just works, is very configurable, can back up to my other PCs or external harddrive (for fast restores), and is cheaper than the others. You can get the software for free and pay $5 month (or less for longer periods) to store it encrypted on their servers.
Hydraulic pizza oven!! Guided missile! Herring sandwich! Styrofoam! Jayne Mansfield! Aluminum siding! Borax!
A word of warning.
I used to use [companyname]@mydomain.com for everything I signed up for. It worked great for a long time. The only downside was having to use a catchall address, but not a huge deal.
Unfortnately what will eventually happen is someone will troll through whois records or just grab random domains from existing mailing lists, and start sending out spam from random strings of letters/words @ that domain..
The trick is to not use a catchall. Setup a redirection for every address in use. Anything not defined should bounce. With Sendmail this means a virtuser entry for each address. Admittedly, this is not as convenient as a catchall but it does provide immunity from dictionary attacks like you describe. Long on my to-do list (but never actually done) is to create a script to check From: and Reply-To: on all outgoing mail and automatically add new addresses to virtusers if they are not already present.
It is even possible to retrofit this method if you have previously been using a catchall, as I did. All it takes is basic shell text processing and access to all the old mail. If anyone hasn't sent me any email is, say, three years then they probably are never going to.
I don't think so. I think they paid the spammer to spam his list with their ad and gave him their customer list so that he would delete those addresses from his list and so not spam them.
Not selling your info. Hiring a spammer and then giving him your address expecting him to use it only for the intended purpose of washing his list. Incompetent bunglers: a typical Web business.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
David Friend, the CEO of Carbonite, has commented on this event. Interestingly, his take on what happened differs from what was posted in the linked article from CW. According to Mr. Friend, they use an email forwarding agency/company for communications to their customers. He claims that this company misappropriated their customer email list for their own purposes. I'm not sure who I trust less; the CEO of the company that had the problem or the CW author who is apparently afraid no one else would find his article noteworthy so he posted it himself.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
That's the intended usage of the list of hashes: for each address that the marketer already has, they can determine whether it's the address of an existing customer so they can exclude it from the ad campaign. No technological measures can avoid the fact that if you want an advertiser to exclude your customers from an ad campaign, you have to give them a way to determine who your customers are. Only trust (and trustworthiness) can resolve that.
But hashing the list would at least prevent the marketer from learning new addresses that they didn't already know about, so it's better than giving them the raw list.
I wrote them last week and told them that the email account I set up specifically for their company was getting spammed, and that their customer email list must have been compromised. They wrote back the following:
Great, they didn't sell it, they gave it away free to untrustworthy dirtbags. Makes me feel much better to know that the company I'm entrusting with my backups doesn't bother to vet its business associates. I'm moving to crashplan.
I create unique email addresses for every company I do business with. A surprising number (I estimate @ 15%) end up getting spammed. In every case I write to the company and let them know that their email database has somehow been compromised. I have yet to get a reply to even one of those emails. That tells me that either it was deliberate or they don't give a crap. I'd say go ahead and refer your case to whatever law enforcement agency you think appropriate, but don't expect much.
The "cloud" hides those pesky & boring details of where your data is stored, and how it is backed up, and who has access. Super convenient!
Oh, and your identity is just a bit more data whose location(s), access, and use are all hidden from you. Super convenient!
Love the cloud.
I am so glad I recommended Crashplan instead of Carbonite to my Mom. I got Crashplan too.
The good thing about Crashplan being that it also gives you a free client to duplicate backup to a hard disk you have networked somewhere or a friend's computer. Oh and they are "unlimited backup".
From what I can tell of their character, I doubt Crashplan would ever, ever do what Carbonite did.
I'm impressed by your approach to protecting your email address. How do you track the alias to the form you filled out? Great idea for a privacy protecting app right there! Craig www.newtechobserver.com
I'm in contact with the company. We'll see how they want to proceed.
I am still going to report the incident. The NY AG is sending a complaint form for me to fill out. I had tried the DA, but I guess that's the wrong organization — they kept basically ignoring me.
Only provide a list of HASHES of email addresses you don't want to send to. And don't store a list of addresses to suppress yourself. Store a list of hashes. It is the only way to guarantee those people will never be emailed again. I've worked with companies who had emailing operations for their customers and on at least two occasions they accidentally emailed the "do not email" list. Had they been only storing hashes this would have been impossible.