Carbonite Privacy Breach Leads To Spam 134
richi writes "It looks like Carbonite, Inc. has been giving out customers' personal information. The company has admitted to giving customer email addresses to a third party, in direct contravention of its privacy policy. A company statement reads: 'Carbonite has discovered an advertiser misappropriated our e-mail list during the process of one of our e-mail marketing campaigns. When Carbonite launches an e-mail marketing campaign, it provides a suppression list to e-mail advertisers so that Carbonite customers do not receive promotion emails from Carbonite (since they’re already customers) and importantly, so that people who have opted out of receiving emails from Carbonite do not receive future email from us. This list was mishandled by an advertiser and we have taken immediate remedial efforts. As an online backup company, the security and privacy of our customer data is our top priority. We take all matters related to privacy very seriously. The matter will be addressed privately with the involved third parties and we will ensure that all customer e-mail addresses are permanently removed from their database.'"
Misunderstanding (Score:1)
"The matter will be addressed privately with the involved third parties". That's not what "privacy policy" means, you know?
Re: (Score:2)
Actually, I think it does.
Their privacy policy to their customers gives a bunch of rules that they have said they will follow. Some of those rules have been broken. I think it is actually right that they discuss this privately with the third parties to try to engage them to do the right thing. If the other parties don't come to the party, so to speak, only then should it go further.
Re: (Score:2)
As someone who listens to a ton of talk radio and thus has been subjected to hours of Carbonite ads and in-show pitches by the hosts:
BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!
Mind you, Rush pimps this service hard, maybe he can turn it around as a liberal plot or something and help save their asses.
SUCK IT, YOU GREEDY FUCKS!
Re: (Score:2)
Re: (Score:2)
Who was it? (Score:4, Insightful)
The only way to prevent this stuff is to out the culprits who did this. Why would they protect a company that screwed their reputation?
Re:Who was it? (Score:4, Informative)
Carbonite, obviously. From the summary:
They are the ones that screwed their reputation by violating its privacy policy.
.
Re: (Score:3)
They are the ones that screwed their reputation by violating its privacy policy.
What I find most ironic is that they seem to be breaking their privacy policy in an attempt to enfore it. "Here is the big email list of people you CAN'T send emails to. We promised, so don't send stuff OK?". It's simply dripping with irony.
Re: (Score:3)
Its not irony, its intentional. Claiming this wasn't intentional or is a surprise is a flat out lie. This is a company that is SUPPOSED to KNOW how to protect your privacy since they ... claim to be safe and secure place to store your backups.
I'll call them liars because if they aren't liars, its even worse for their reputation.
Re: (Score:2)
I'll call them liars because if they aren't liars, its even worse for their reputation.
Yes, it does seem to be a choice of calling them a) incompetent or b) liars. I really don't know which is worse. Do you trust the incometent fool or do you trust the sneaky but savvy businessman?
Re: (Score:2)
Do you trust the incometent fool or do you trust the sneaky but savvy businessman?
You can always find the fool's Peter-principle level where they can be trusted, but the sneaky guy can't be trusted with anything without hiring someone else to watch him 24/7.
Re: (Score:1)
Haha - You sent that email "Reply all"
Re: (Score:2)
From the summary (I didn't RTFA), it suggests they gave out the suppression list to their marketing agents. They probably don't run their own list serve and bulk emailing in house. They send it to professionals who make a pretty email for them and bulk mail it out over a few days. The list is to ensure their own customers don't get spammed by the "BE A NEW CUSTOMER!" emails. And then the marketing agent gave the list to the wrong people.
Re: (Score:2)
Re: (Score:2)
I'm not sure how well you understand this point. By using a marketing company, they violated their privacy policy.
They could have used hash digests. (Score:1)
The clear technical way to prevent it would be to give a list of cryptographic hashes to use as the email suppression list, instead of the actual list of customers itself.
Since they did not think of this obvious and simple technical way to preserve privacy, it makes me worry about the rest of their software.
I'm happy my data is backed up with https://spideroak.com/
Re: (Score:2)
Re: (Score:2)
Why would they protect a company that screwed their reputation?
Probably because they have a long standing business relationship with them. If the other company makes them plenty of new customers, they might be the company that helps them regain all the customers they lost from this fiasco.
Haven't you ever had an employee, or friend for that matter that did something stupid, you took them aside, spoke with them and they ended up being a fantastic employee or amazing friend from that point onward?
Re: (Score:1)
Re:Who was it? (Score:4, Interesting)
Richi Jennings, author of TFA here.
I have a couple of leads on the identity of the advertiser; I plan to name&shame once I have enough evidence.
However, as Bill rightly points out in his reply, it's Carbonite that's primarily to blame, for ignoring its own privacy policy.
Your information is safe to be spammed with them? (Score:3)
Apparently they forgot the confidentiality part of security, while paying too much attention to integrity and assurance.
This is news? (Score:2, Interesting)
Anyone with a domain of their own knows most companies give out personal information either willingly or accidentally.
Sign up with accounts like facebook@yourdomain.com, slashdot@yourdomain.com, twitter@yourdomain.com (to pick a few) and you'll find two thirds of those get spam directly to it.
Sometimes it's days later, sometimes months or years, but its inevitable. Why is this news?
Re: (Score:1)
I have a domain of my own and have no such problems and I've been using unique email addresses to sign-up for a decade. My guess is it's not the sites you sign up to that sell your addresses, but that your mail server or desktop are compromised.
Keep your own house clean first.
Re: (Score:3)
I've been doing this for years, and while I get plenty of spam to addresses used at less reputable sites, I honestly cannot recall ever receiving any spam e-mail to addresses used for legitimate services.
Re: (Score:2)
That's been my experience as well. I remember only one exception: spam sent to an email address that had only ever been used at Snapfish (and for the life of me I have no idea why I did that. Somebody must have been desperate to share some photos with me in the least convenient possible way).
I notified HP about it, accusing them of either selling their spam list or possibly a data breach. They protested that it wasn't their fault, and it wasn't repeated.
Re: (Score:2)
Re: (Score:2)
Never had that happen. I do that as a matter of habit and keep track and I've only received spam on three occasions. One when I registered with a forum and neglected to flip off the "display my e-mail address" flag on my account (Simple Machines forum). I blocked the e-mail, reregistered with a new e-mail and flipped off the bit. Second from a forum I signed up for and received one spam to the address. And the worst was from a site where I had a short subscription (3 or 4 months) and closed it but they sold
Re: (Score:1)
Re: (Score:2)
You don't even need your own domain. If you use Gmail, you can have 'yourname+facebook@gmail.com' filtered to your facebooklabel, and you'll know when you get spam to that address where it came from.You 'own' all the yourname+anything@gmail.com addresses.
Carbonite is a Glenn Beck sponsor (Score:1)
So it's not surprise to me these guys are unprincipled scum.
Re: (Score:2)
So you'd rather give your money to Mozy, that just raised their rates for average users (500GB) by 5x or so?
I'd honestly been thinking about switching to Carbonite before this fiasco... their imagined politics had nothing to do with it.
Besides, Glen Beck fulfills a necessary niche in our world, just like Mother Jones and Keith Olbermann on the left. It's actually a very good thing to have a diversity of viewpoints available. Having the media all talking with one voice would gatekeeper out a lot of alternati
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
...yeah, if you ignore that whole being hugely popular thing.
Don't Use 3rd Mailers, Duh! (Score:3)
If you give your entire customer list to a third party you are just asking for it to be abused. No matter how strict their "policies" may be with respect to handling your data, all it takes is one disgruntled employee to grab a copy on their way out the door and that's the best case. It can only get worse from there.
There is only one way to guarantee that your data is not abused - don't give it to anyone else. All the rules and laws of man will never top the fact that fact you can't copy what you don't have.
FWIW I've seen this happen first-hand. E*Trade farmed their mailings for options trading out to some third party, and they dutifully sent them for six months to me at "etrade@ryel-industries.com" - the address I had on file with E*Trade. I was annoyed enough that E*Trade thought spamming me was a good idea that I remembered it. But a year later I started getting spam from Ameritrade or Schwab or whatever they are called now sent to "etrade@ryel-industries.com" and when I checked the Received: headers it was the same 3rd party as E*Trade had used.
Of course E*Trade couldn't even comprehend what I was talking about when I complained to them. I haven't really done much with my E*Trade account since. They obviously don't really give a damn about my privacy.
Re: (Score:2)
A word of warning.
I used to use [companyname]@mydomain.com for everything I signed up for. It worked great for a long time. The only downside was having to use a catchall address, but not a huge deal.
Unfortnately what will eventually happen is someone will troll through whois records or just grab random domains from existing mailing lists, and start sending out spam from random strings of letters/words @ that domain. Still, not a huge deal, except when they are sending out hundreds of thousands of emails th
Re: (Score:2)
Yeah, for those who want to do something similar, it is easy to setup mailhost software to redirect any mail with a certain prefix to a single account, for example traced.companyname@example.com, would all get sent to traced@example.com. You get the benefit of tracking where folks got your email from without having to have a catch-all account.
Also some free email providers are already setup to work this way. For example mail sent to myname+slashdot@gmail.com will go to myname@gmail.com. Some poorly written
Use explicit redirection, not catchalls (Score:2)
A word of warning.
I used to use [companyname]@mydomain.com for everything I signed up for. It worked great for a long time. The only downside was having to use a catchall address, but not a huge deal.
Unfortnately what will eventually happen is someone will troll through whois records or just grab random domains from existing mailing lists, and start sending out spam from random strings of letters/words @ that domain..
The trick is to not use a catchall. Setup a redirection for every address in use. Anything not defined should bounce. With Sendmail this means a virtuser entry for each address. Admittedly, this is not as convenient as a catchall but it does provide immunity from dictionary attacks like you describe. Long on my to-do list (but never actually done) is to create a script to check From: and Reply-To: on all outgoing mail and automatically add new addresses to virtusers if they are not already present.
It i
Re: (Score:2)
If you give your entire customer list to a third party you are just asking for it to be abused. No matter how strict their "policies" may be with respect to handling your data, all it takes is one disgruntled employee to grab a copy on their way out the door and that's the best case.
I've actually seen one rather better (worse?) than this.
Company (A) sells an imaging-based backup solution. They sell their list of prospective customers to company (B).
Company (B) drills through every name and telephone number on the list trying to sell them an imaging-based backup solution from company (C) - a competitor of (A). When challenged, (B) insists that there's nothing wrong with this.
I called up (A). They weren't amused...
Re: (Score:2)
"As an online backup company, the security and privacy of our customer data is our top priority. We take all matters related to privacy very seriously."
They take privacy "very seriously"? How? By giving your information to all their advertisers along with a nice note saying "Please do not steal"???
Anybody who did this in the first place, despite "agreements" with those third parties, would be off my list immediately. Speaking of which: I guess Carbonite is off my list.
I mean really. Give me a break. "Security through third-party agreement" makes "security through obscurity" look like a good bet.
Endorsed by Glenn Beck (Score:2)
Carbonite: endorsed by Glenn Beck and Rush Limbaugh. 'Nuff said.
Re: (Score:2)
Carbonite: endorsed by Glenn Beck and Rush Limbaugh. 'Nuff said.
But why? I think if either of them actually cared about rights to privacy, etc., they wouldn't be recommending this kind of shit to their listeners/viewers. We see once again that they are just puppets controlled by strings of money. It's not about actually recommending a good product to the consumer, but making sure that commission check is as large as possible.
Re: (Score:2)
What made you think they cared about privacy or any rights?
These are the very folks that egg on the War on Terruh, and the War on drugs. Of course not on the drugs they are addicted too. If I wanted to hear the ravings of a drug addict I could go down the local homeless shelter and see it live.
Re: (Score:2)
You're overthinking this. Rush and Beck are seeing this as sponsorship for profit. Malice is unnecessary unless you see profit as malicious.
Leo Laporte, on the other hand, doesn't easilty fit into the category of 'evil' for me. You may have a different opinion, I know...
Re: (Score:2)
Whoosh!
Re: (Score:3)
Re: (Score:2)
*donning whoosh proof clothing*
It should be noted that Boba Fett was initially against the freezing into carbonite "He's worth more to me alive" "You'll be suitably compensated"
It was Vader who endorsed the product, if anyone.
Re: (Score:2)
And by Randi Rhodes and Thom Hartmann and another half-billion or so talk-/sports-radio gabbers. Basically, if it's on radio, these guys will be there. Radio is cheap (and getting cheaper each day). I doubt they actually have an ideology to push.
Re: (Score:2)
Re: (Score:2)
Yeah, and? They also sponsor Radio Lab, which is an NPR show.
Re: (Score:2)
And Stephanie Miller, and Bill Press, and Ed Schultz, And Leo Laporte and The TWiT network......should I keep going?
Never liked Carbonite (Score:4, Insightful)
Re: (Score:2)
giving it away? my data is encrypted with AES 256 encryption.
I also have my primary data, my backup local data on another hard Drive and for my very important stuff, I will be getting BD-R copies (family video and pictures)
Carbonite is insurance.
Re: (Score:1)
giving it away? my data is encrypted with AES 256 encryption.
I also have my primary data, my backup local data on another hard Drive and for my very important stuff, I will be getting BD-R copies (family video and pictures)
Carbonite is insurance.
Certainly, but how many "Joe Home Users" are going to any effort to encrypt their data? Obviously, there's no excuse when we know the pitfalls, but the point is, look at how all these cloud services are marketed and see if any of these drawbacks are even mentioned. The 'cloud' is just talked up like it's the next wheel, but no one even knows what the hell they're talking about, or what the potential risks are!
Perfect Example (Score:1)
It's irresponsibility like this that keeps me from embracing the cloud like I want to. I don't trust anyone, so I'm actually thinking of building my own personal cloud infrastructure to store my stuff offsite, email, etc.
Re: (Score:1)
It's irresponsibility like this that keeps me from embracing the cloud like I want to. I don't trust anyone, so I'm actually thinking of building my own personal cloud infrastructure to store my stuff offsite, email, etc.
Well, according to Wikipedia, "[private clouds] ...have attracted criticism because users "still have to buy, build, and manage them" and thus do not benefit from lower up-front capital costs and less hands-on management, essentially "[lacking] the economic model that makes cloud computing such an intriguing concept"
Translation: Being smart and responsible with our data costs money- how can we make it cost less money.
At some point, you drop the 'smart', and 'responsibility' part in order to make room fo
Re: (Score:1)
I've done that.. Instead of using Mozy/Carbonite/AmazonS3, I signed up for two Linux virtual private servers. Both of which come with a 60GB disk allocation. Since my critical data backup needs are well below that (less than 30GB and not growing very fast), I simply created an encrypted 50GB container on both servers, set them up to rsync/mirror the contents of the master container, and then set up a daily rsync from my home server via an OpenVPN link to the master server. Even though I don't *own* the vps,
Re: (Score:2)
...
So you're going to run a server?
A cloud is almost certainly retarded if thats all you're doing. Why would you run umpteen machines when one would do the work 100 times over?
A personal cloud is a rather stupid idea, you'll spend more time fucking with 'the cloud' than any advantage you'll get from it.
Seriously? (Score:2)
People who believe that their "personal information" isn't being sold are just being ignorant. These are probably the same people who believe that ALL the money they deposit is sitting in the vault at the bank.
Re: (Score:2)
At least with the bank you are insured against the bank's failure.
Re: (Score:2)
not really... the Government just promises to print enough money to cover your loss.... they are giving you back inflated dollars.
Re: (Score:2)
Uh, no. Go google "FDIC."
Re: (Score:2)
Uhh... where do you think that cash comes from?
By "advertiser", they mean "spammer" (Score:4, Insightful)
So, they engaged an outfit of professional spammers, handed them their customer list and were surprised when the spammers did what spammers always do?
That's like buying a shark and shoving your dick in its mouth so that it can learn not to bite off your dick.
Why not send a hash of the email addresses (Score:1)
The 3rd party would only ever get the intersection of "do not mail" and their own marketing list. And emails wouldn't be sitting around in clear text in a database / filesystem..
advice on a similar, but more sinister situation? (Score:2)
I created a unique email address to use with a company I ordered products from. No one else had that address. A while later I got a phishing email (pointing to http://www.official-2011-skype-upgrade.com/ [official-2...pgrade.com]) at that address. The email addressed me by my name as well as the email address ("Joe Blow <uniqueaddress@somedomain.tld>").
Is this conclusive evidence that my private/personal information with the company has been compromised? Maybe they lost control of my credit card and address information as
Re: (Score:2)
Re: (Score:2)
I'm in contact with the company. We'll see how they want to proceed.
I am still going to report the incident. The NY AG is sending a complaint form for me to fill out. I had tried the DA, but I guess that's the wrong organization — they kept basically ignoring me.
Re: (Score:2)
I create unique email addresses for every company I do business with. A surprising number (I estimate @ 15%) end up getting spammed. In every case I write to the company and let them know that their email database has somehow been compromised. I have yet to get a reply to even one of those emails. That tells me that either it was deliberate or they don't give a crap. I'd say go ahead and refer your case to whatever law enforcement agency you think appropriate, but don't expect much.
More proof opt-in is the ONLY way to do it right. (Score:4, Insightful)
If you RTFA, you'll quickly realize what Carbonite did was provide a 'do-not-spam' list to, well, a spammer... and then, surprise, surprise, the spammer misues or abuses it.
The list was Carbonite customers AND people who previously clicked the opt-out link in past Carbonite spam... So strictly speaking, this wasn't a straight list of Carbonite customers. Spam might be annoying, but there is a bigger issue here: If you wanted to phish Carbonite logins, you'd have a pretty good start.
Scrubbing the list in-house won't happen... Carbonite doesn't have huge lists, the spammers do. And the spammers are not going to give Carbonite their whole list to scrub, those things are money. So Carbonite has to give an opt-out list to the spammers and trust them not to spam it. Sure...
The article's suggestion of address hashes is kinda bogus, and especially dangerous if the hashed addresses are known to be customers. Assuming a spammer/phisher already has eleventy billion addresses, this is a hash collision attack. All the spammer has to do is hash their list and look for matches. Instant customer list.
Re: (Score:2)
That's the intended usage of the list of hashes: for each address that the marketer already has, they can determine whether it's the address of an existing customer so they can exclude i
When you give the data to some other party, (Score:3)
You have lost control of it. You can make any claims you want, but if your agreement with users permits you to share the data, you should be legally bound to state that you cannot guarantee privacy. In essence, you have ended your agreement with your users at that point.
Since asking users in advance if you can share their data with a third party is both impractical and likely to cause outrage and refusal, no company is going to do this willingly. So we are back to square one.
If you share user data with a third party, you have lost control. Any claims to privacy are deceptive at best, outright fraudulent at worst.
Even if you claim to compel the third parties to abide by agreements, there is no guarantee unless you own them and/or control the data. That would not be 'giving'.
Ha ha Han Solo (Score:3)
<insert Han Solo joke here>
There, I did it.
Re: (Score:2)
Ha ha Han Solo
A good speech therapist could probably help you with that stammer.
Re: (Score:2)
He thrusts his fists against the post...
Stupid is as Stupid Does (Score:1)
Then you deserve what you get.. Im suprized they don't try to root through their customers backups and sell that off.
Why in the world would you trust an outside party with your data is beyond me.. Stupid is as stupid does..
Really, slashdot? (Score:1)
Re: (Score:2)
you call yourself a Geek? I had heard about Carbonite for 2 years before on Leo Laporte's Weekend tech guy show before it even hit popular radio hosts' shows.
Re: (Score:1)
Re: (Score:1)
seriously?
Your geek card and slashdot membership are revoked.
Re: (Score:2)
Re: (Score:1)
Fuck you...Windows 8 user.
OK, serious question here (Score:2)
Asking on /. because I haven't found anything myself yet: Is there any such thing as an online backup service that:
1. Is either EU-based or is a signatory to the EU-US Safe Harbor scheme.
2. Has a reasonably good reputation - and doesn't consider customer data disposable.
3. Appreciates that we don't necessarily have unlimited bandwidth so offers a media-shipping option for data restores.
4. Operates a reseller program.
5. Supports OS X and Windows.
6. Isn't in some sort of crazed rush to the bottom that will ul
Re: (Score:2)
Carsh Plan provides the shipping option as well as a few other back up options that it will manage for free (local backups, off site to a friend's computer)
Re: (Score:2)
CrashPlan suits my needs pretty well.
Crashplan does have a good reputation, media-shipping options, supports OS X, Windows, Linux, Solaris, iOS, and others, and isn't a fly-by night operation.
The biggest problem I see is the "operates a reseller program" - I don't know of anybody that does that.
Re: (Score:2)
you are really good at advertising... I am going to head over and buy your product.... oh....wait....
Security/Privacy companies giving out your private (Score:2)
information ...
I'm not sure about you, but anyone with half a clue realizes that if they were actually in the business of protecting your data, they wouldn't be giving email addresses to anyone. Whats better is that they give out their ENTIRE FUCKING LIST, and then give another list of 'don't email these guys' ... seriously? How about you just NOT INCLUDE THOSE PEOPLE TO BEGIN WITH?
They are double dipping. Charging for service, then selling your info. And this is a company thats supposed to be backing u
Re: (Score:2)
I don't think so. I think they paid the spammer to spam his list with their ad and gave him their customer list so that he would delete those addresses from his list and so not spam them.
Not selling your info. Hiring a spammer and then giving him your address expecting him to use it only for the intended purpose of washing his list. Incom
How's that Cloudy security thingy workin' for ya? (Score:2)
Apparently, not so good.
They didn't sell the names (Score:2)
They mention two cases:
1. They are sending out an email advertising campaign, and use the file of customer's email addresses to delete customers off the file, so existing customers don't get an email advertising their service. I can understand with the irritation at a company sending unsolicited email, but the supp
Where did they get the list of non-customers? (Score:2)
My question is, where does Carbonite get their marketing list of emails? Are they sucking down all the email of their customers and puling email addresses out of their backed up documents? To me this seems like an obvious possibility - they simply grep all the documents they have for valid email addresses and send it away to the spammers they have contracted.
Then a day later you get an email saying "Wouldn't you love to become protected like your pal bob@super.com? His data is backed up, why isn't yours
Re: (Score:2)
This doesn't mean they have opened any documents on the customers' accounts, but they have done something else that's inexcusable: they gave a verified list of emailadresses to spammers and they paid spammers.
Re: (Score:2)
I don't buy this. I think it's quite probable that Carbonite has been rooting around through its customers' data and picking out email addresses. If this is the case, then the idea of handing out a list of "don't mail" addresses for the spammers to subtract from Carbonite's theoretical list of emails sucked out of their customers' files makes sense.
If they didn't hoover out a bunch of emails addresses from their customers' files, why bother sending the additional addresses? No spam house has every addres
Backup Service Provider Security (Score:1)
David Friend, Carbonite CEO Comments on Blog (Score:2)
Here's the horsecrap they said a week ago (Score:2)
I wrote them last week and told them that the email account I set up specifically for their company was getting spammed, and that their customer email list must have been compromised. They wrote back the following:
Welcome to the "Cloud" (Score:1)
The "cloud" hides those pesky & boring details of where your data is stored, and how it is backed up, and who has access. Super convenient!
Oh, and your identity is just a bit more data whose location(s), access, and use are all hidden from you. Super convenient!
Love the cloud.
So glad I chose Crashplan instead (Score:2)
I am so glad I recommended Crashplan instead of Carbonite to my Mom. I got Crashplan too.
The good thing about Crashplan being that it also gives you a free client to duplicate backup to a hard disk you have networked somewhere or a friend's computer. Oh and they are "unlimited backup".
From what I can tell of their character, I doubt Crashplan would ever, ever do what Carbonite did.
Great approach to protecting email address (Score:1)
Don't provide a "suppression list" of addresses! (Score:2)
Only provide a list of HASHES of email addresses you don't want to send to. And don't store a list of addresses to suppress yourself. Store a list of hashes. It is the only way to guarantee those people will never be emailed again. I've worked with companies who had emailing operations for their customers and on at least two occasions they accidentally emailed the "do not email" list. Had they been only storing hashes this would have been impossible.