Dumbarsed Email Spammers Leave Data Wide Open

5 comments

Reading Nick's post here reminded me just how lax some companies are with peoples data and information.

Very recently I was email spammed by some jokers who used an embedded 1x1 image to track whether a blank email sent out to me had been read (Yep, sure lots of firms do this I know..) Anyhow, I looked at the tracking url (was bored and felt a little inquisitive) and noted an interesting aspect of the processing url

imgsrc=http://***.***.***.***/sends/sendstudio/users/....."

Hmmn I thought..(yep I had bugger all better to do), I wonder if.. so, using my superhuman rocket scientist powers of perception, I deduced that the login details were fiendishly difficult defaults, meaning that someone had been ridiculously incompetent.

Lucky for them, Im not feeling particularly bad or mischievous as if I were, then their 760,000 + subscribers could now be deleted, contacted with porn, sold on, tracked, etc etc.

Seriously though, it did make me wonder why some people don't take a few simple steps to secure the lifeblood of their businesses.The above scenario could have used any number of simple additional security measures, the most obvious being that they could have used a locally held db, housed on a windoze pc using something like php triad! Net effect, can't be accessed by people like me.

It also made me wonder as to what are the responsibilities of companies when it comes to storing and holding peoples data, and what recourse do individuals have when such requirements are abused or as in the scenario above simply neglected due to sheer incompetance.

I'm considering emailing the company concerned requesting that they dont spam me with anymore of their invisi emebed blank emails.I might even throw in a few veiled promises too. You never know, they might even write back to me and tell me to go boil my head or something ruder even! Hell, they might even spam me again too.:D

Comments

shoot them...

what's scary about that is that it was most likely a mailshot handled by a third party e-mailshot software and the actual data owners probably trusted them to protect the data.

In that situation even if they have a contract which allows them to sue the mail sending service (and lets face it that's going to be unlikely) the data owner is still going to get all the bad publicity - possibly deservedly, but how many small business owners would be able to check that a company who makes lots of promises about security isn't actually a load of brainless morons?

IMO companies who do stuff like that deserve to be named and shamed. We should make up a nice catcy Web2.0 style name for them and alert IHY....

I think you shoudl have

I think you shoudl have deleted the database you found. If they learn the hard way, they will secure the data.

UK

"It also made me wonder as to what are the responsibilities of companies when it comes to storing and holding peoples data"

In the UK, this question was addressed by the Data Protection Act, 1998http://www.informationcommissioner.gov.uk/eventual.aspx?id=87

in the US

in the US we actually had an initiative to define ownership of databases, pushed by bozos like this and other protectionists. Perhaps if they made it ilegal to use data from another database, they could stay sloppy.

It would have define your contact record as belonging to someone (not you!? Some said whomever had it first owns it!) and then unable to be used by someone else. Luckily it didn't pass before we had major confidential data leaks and a whole new focus on data protection.

yes..and nail their bollox to the mast

>We should make up a nice catcy Web2.0 style name for them and alert IHY....

Well, if you hate spammers enough and can prove it then I might just give you the full url, just state the amount you are prepared to donate to a worthy cause and..(no seriously, just kidding)

Yeah, I guess there are arguments that say delete delete delete teach them a lesson, but I dunno, IMO it would be a little OTT and just really isn't the type of thing I'd be happy to do.

Thanks for the data protection link, I couldn't find anything about penalties and enforcement compliance and whatnot and I guess compliance scenarios or misuse/blatant disregard of laws are difficult to prove too, unless as in the given scenario above, someone decided to cooperate with an enforcement agency and hand the evidence to them on a plate. Coppers nark, nah not me guv.

If anything it just goes to show that ultimately all this "we look after your data and abide by x y and z directive" cobblers is ultimately worth little more than a cold cup of piss. Who polices it? No one really.Its a bit like those "One lucky subscriber will win a holiday" type promos..(god Im such a cynic)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.