Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Convince a Company Their Subscriber List Is Compromised?

Posted by Soulskill on from the you-can-lead-a-horse-to-water dept.

jetkins writes "As the owner of my own mail domain, I have the luxury of being able to create unique email addresses to use when registering with web sites and providers. So when I started to receive virus-infected emails recently, at an address that I created exclusively for use with a well-known provider of tools for the Systems Administration community (and which I have never used anywhere else), I knew immediately that either their systems or their subscriber list had been compromised. I passed my concerns on to a couple of their employees whom I know socially, and they informed me that they had passed it up the food chain. I have never received any sort of official response, nor seen any public notification or acceptance of this situation. When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. Again, nothing. If it was a company in any other field, I might expect this degree of nonchalance, but given the fact that this company is staffed by — and primarily services — geeks, I'm a little taken aback by their apparent reticence. So, since the polite, behind-the-scenes approach appears to have no effect, I now throw it out to the group consciousness: Am I being paranoid, or are these folks being unreasonable in refusing to accept or even acknowledge that a problem might exist? What would you recommend as my next course of action?"

1 of 247 comments (clear)

  1. Re:Is it fixed? by t4ng* · · Score: 5, Informative

    Acknowledging it is likely to be against the advice of the company's attorneys whether or not it really is their fault.

    Exactly. Datek or Ameritrade or TD Ameritrade, I forget at which point in their many buy-outs, has been repeatedly compromised in the past. At first they denied it and claimed that spammers had just guessed by email account. So each time I would create a new email account in my own domain consisting of a random collection of 12 letters, numbers, and punctuation marks. And each time they were compromised I would point out to them the impossibility of a spammer guessing my email account.

    Finally, they just started a policy of sending me an email saying they are investigating it but their company policy does not allow them to give me any details of their findings or what, if anything, they did to fix it.