Has Carbonite had a privacy breach? I'm getting spam. Oh ****, where's all this spam coming from? It looks like Carbonite, Inc. has been giving out customers' personal information. The company's admitted giving my email address to a third party, despite promising that it wouldn't. Should you be worried? Let's take The Long View... Like many anti-spam wonks, I don't give out my email address to just anyone. Instead, when I need to register for something, I make up a unique email address. That unique address is aliased to my real email account, but can be switched off if the sender turns out to be a spammer. Similarly, if I start receiving spam to that email alias, I can tell which organization leaked or sold my details, because the alias is uniquely tied to that organization. And so it came to pass that I started getting spam to an alias I gave to Carbonite. Note that this wasn't spam from Carbonite, but from several unrelated organizations. It would appear that Carbonite has either sold my personal details, or has had a security breach. Either possibility is nasty, particularly for a company that we're supposed to trust with our data -- in case you're not familiar with Carbonite, it's an online backup service! If the company sold my details, this is in direct contravention of its privacy policy: I asked Carbonite what was going on. The company responded with a dry drawer statement: TL;DR: Carbonite disclosed Carbonite customers' personal information to a third party. It did so in contravention of its privacy policy. The story the company's giving out tells me clearly that "the security and privacy of its customer data" is not its "top priority," and that it doesn't "take all matters related to privacy very seriously." But, Carbonite would no doubt reply, the advertiser is simply a contractor -- not really a "3rd party." It's necessary for it to give out customers' email addresses, so that people don't get inappropriate email, Carbonite would probably argue. Horse feathers! This is completely the wrong way around. What Carbonite should have done is to scrub the advertiser's list itself, rather than send our sensitive data to a third party. If that wasn't possible, it should have arranged a way of matching the suppressed addresses using a one-way hash. That would have allowed the advertiser to remove Carbonite customer addresses from the list, without actually disclosing them. Oh, lest we forget, this is the same online backup company that lost the backups of thousands of its customers, while denying any data were lost, despite reports from customers who said they had (ahem) lost data. Carbonite later admitted that 54 customers were affected, while thousands of others had to re-upload their data. It's also the company whose VP of marketing was caught red-handed posting astroturf-positive reviews on Amazon, along with other Carbonite employees. When the news broke, the company denied it had sanctioned the phony reviews. So I guess this is Strike Three. Why should anyone trust Carbonite, Inc. ever again? Source: http://blogs.computerworld.com/19197/has_carbonite_had_a_privacy_breach_im_getting_spam
What? An advertiser/mailer actually MAILED a companies subscriber...I mean...scrub list? NEVER!! But wouldn't this be a non issue if Carbonite had MD5'd the list prior to giving it out???
