Slashdot Mirror

← Back to Stories (view on slashdot.org)

Carbonite Privacy Breach Leads To Spam

Posted by samzenpus on from the fox-in-the-henhouse dept.

richi writes "It looks like Carbonite, Inc. has been giving out customers' personal information. The company has admitted to giving customer email addresses to a third party, in direct contravention of its privacy policy. A company statement reads: 'Carbonite has discovered an advertiser misappropriated our e-mail list during the process of one of our e-mail marketing campaigns. When Carbonite launches an e-mail marketing campaign, it provides a suppression list to e-mail advertisers so that Carbonite customers do not receive promotion emails from Carbonite (since they’re already customers) and importantly, so that people who have opted out of receiving emails from Carbonite do not receive future email from us. This list was mishandled by an advertiser and we have taken immediate remedial efforts. As an online backup company, the security and privacy of our customer data is our top priority. We take all matters related to privacy very seriously. The matter will be addressed privately with the involved third parties and we will ensure that all customer e-mail addresses are permanently removed from their database.'"

17 of 134 comments (clear)

  1. Who was it? by Anonymous Coward · · Score: 4, Insightful

    The only way to prevent this stuff is to out the culprits who did this. Why would they protect a company that screwed their reputation?

    1. Re:Who was it? by Bill,+Shooter+of+Bul · · Score: 3, Informative

      Carbonite, obviously. From the summary:

      The company's admitted giving customer email address to a third party, in direct contravention of its privacy policy.

      They are the ones that screwed their reputation by violating its privacy policy.

      .

      --
      Well.. maybe. Or Maybe not. But Definitely not sort of.
    2. Re:Who was it? by Fluffeh · · Score: 2

      They are the ones that screwed their reputation by violating its privacy policy.

      What I find most ironic is that they seem to be breaking their privacy policy in an attempt to enfore it. "Here is the big email list of people you CAN'T send emails to. We promised, so don't send stuff OK?". It's simply dripping with irony.

      --
      Moved to http://soylentnews.org/. You are invited to join us too!
    3. Re:Who was it? by BitZtream · · Score: 2

      Its not irony, its intentional. Claiming this wasn't intentional or is a surprise is a flat out lie. This is a company that is SUPPOSED to KNOW how to protect your privacy since they ... claim to be safe and secure place to store your backups.

      I'll call them liars because if they aren't liars, its even worse for their reputation.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    4. Re:Who was it? by richi · · Score: 3, Interesting

      Richi Jennings, author of TFA here.

      I have a couple of leads on the identity of the advertiser; I plan to name&shame once I have enough evidence.

      However, as Bill rightly points out in his reply, it's Carbonite that's primarily to blame, for ignoring its own privacy policy.

  2. Your information is safe to be spammed with them? by sethstorm · · Score: 2

    Apparently they forgot the confidentiality part of security, while paying too much attention to integrity and assurance.

    --
    Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
  3. This is news? by Anonymous Coward · · Score: 2, Interesting

    Anyone with a domain of their own knows most companies give out personal information either willingly or accidentally.

    Sign up with accounts like facebook@yourdomain.com, slashdot@yourdomain.com, twitter@yourdomain.com (to pick a few) and you'll find two thirds of those get spam directly to it.

    Sometimes it's days later, sometimes months or years, but its inevitable. Why is this news?

    1. Re:This is news? by mikkelm · · Score: 2

      I've been doing this for years, and while I get plenty of spam to addresses used at less reputable sites, I honestly cannot recall ever receiving any spam e-mail to addresses used for legitimate services.

  4. Don't Use 3rd Mailers, Duh! by Jah-Wren+Ryel · · Score: 2

    If you give your entire customer list to a third party you are just asking for it to be abused. No matter how strict their "policies" may be with respect to handling your data, all it takes is one disgruntled employee to grab a copy on their way out the door and that's the best case. It can only get worse from there.

    There is only one way to guarantee that your data is not abused - don't give it to anyone else. All the rules and laws of man will never top the fact that fact you can't copy what you don't have.

    FWIW I've seen this happen first-hand. E*Trade farmed their mailings for options trading out to some third party, and they dutifully sent them for six months to me at "etrade@ryel-industries.com" - the address I had on file with E*Trade. I was annoyed enough that E*Trade thought spamming me was a good idea that I remembered it. But a year later I started getting spam from Ameritrade or Schwab or whatever they are called now sent to "etrade@ryel-industries.com" and when I checked the Received: headers it was the same 3rd party as E*Trade had used.

    Of course E*Trade couldn't even comprehend what I was talking about when I complained to them. I haven't really done much with my E*Trade account since. They obviously don't really give a damn about my privacy.

    --
    When information is power, privacy is freedom.
  5. Never liked Carbonite by jon42689 · · Score: 4, Insightful

    Just solidifies my opinion that Carbonite is an irresponsible company, and I've been saying this for a while- this is just an example. You think that trusting all the data on your computer to a company who can't even keep your email address or other account information safe is a good idea? Cloud backup is irresponsible to start with. Off-site MANAGED backups are fine, but just throwing all your data out into the ether and expecting it to be safe is asinine. What will it take for people to stop *giving* away their data?

  6. Re:Endorsed by Glenn Beck by jon42689 · · Score: 2

    Carbonite: endorsed by Glenn Beck and Rush Limbaugh. 'Nuff said.

    But why? I think if either of them actually cared about rights to privacy, etc., they wouldn't be recommending this kind of shit to their listeners/viewers. We see once again that they are just puppets controlled by strings of money. It's not about actually recommending a good product to the consumer, but making sure that commission check is as large as possible.

  7. By "advertiser", they mean "spammer" by Rogerborg · · Score: 3, Insightful

    So, they engaged an outfit of professional spammers, handed them their customer list and were surprised when the spammers did what spammers always do?

    That's like buying a shark and shoving your dick in its mouth so that it can learn not to bite off your dick.

    --
    If you were blocking sigs, you wouldn't have to read this.
  8. Re:Endorsed by Glenn Beck by Beorytis · · Score: 2

    Also endorsed by Boba Fett.

  9. More proof opt-in is the ONLY way to do it right. by ArcCoyote · · Score: 3, Insightful

    If you RTFA, you'll quickly realize what Carbonite did was provide a 'do-not-spam' list to, well, a spammer... and then, surprise, surprise, the spammer misues or abuses it.

    The list was Carbonite customers AND people who previously clicked the opt-out link in past Carbonite spam... So strictly speaking, this wasn't a straight list of Carbonite customers. Spam might be annoying, but there is a bigger issue here: If you wanted to phish Carbonite logins, you'd have a pretty good start.

    Scrubbing the list in-house won't happen... Carbonite doesn't have huge lists, the spammers do. And the spammers are not going to give Carbonite their whole list to scrub, those things are money. So Carbonite has to give an opt-out list to the spammers and trust them not to spam it. Sure...

    The article's suggestion of address hashes is kinda bogus, and especially dangerous if the hashed addresses are known to be customers. Assuming a spammer/phisher already has eleventy billion addresses, this is a hash collision attack. All the spammer has to do is hash their list and look for matches. Instant customer list.

  10. When you give the data to some other party, by rickb928 · · Score: 2

    You have lost control of it. You can make any claims you want, but if your agreement with users permits you to share the data, you should be legally bound to state that you cannot guarantee privacy. In essence, you have ended your agreement with your users at that point.

    Since asking users in advance if you can share their data with a third party is both impractical and likely to cause outrage and refusal, no company is going to do this willingly. So we are back to square one.

    If you share user data with a third party, you have lost control. Any claims to privacy are deceptive at best, outright fraudulent at worst.

    Even if you claim to compel the third parties to abide by agreements, there is no guarantee unless you own them and/or control the data. That would not be 'giving'.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
  11. Ha ha Han Solo by JohnnyBGod · · Score: 2

    <insert Han Solo joke here>

    There, I did it.

  12. Re:Really, slashdot? by Drunkulus · · Score: 2

    Oh my. Quaking in my boots over here. Holy mother of Jesus where's my martini? I'm being threatened by a Windows 7 power user. Please Hammer don't hurt me.