Ask Slashdot: How To Convince a Company Their Subscriber List Is Compromised?

jetkins writes "As the owner of my own mail domain, I have the luxury of being able to create unique email addresses to use when registering with web sites and providers. So when I started to receive virus-infected emails recently, at an address that I created exclusively for use with a well-known provider of tools for the Systems Administration community (and which I have never used anywhere else), I knew immediately that either their systems or their subscriber list had been compromised. I passed my concerns on to a couple of their employees whom I know socially, and they informed me that they had passed it up the food chain. I have never received any sort of official response, nor seen any public notification or acceptance of this situation. When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. Again, nothing. If it was a company in any other field, I might expect this degree of nonchalance, but given the fact that this company is staffed by — and primarily services — geeks, I'm a little taken aback by their apparent reticence. So, since the polite, behind-the-scenes approach appears to have no effect, I now throw it out to the group consciousness: Am I being paranoid, or are these folks being unreasonable in refusing to accept or even acknowledge that a problem might exist? What would you recommend as my next course of action?"

Is it fixed?

[CncRobot]

Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

Geeks rarely rule the roost

[Anonymous Coward]

In my experience when situations like this arise and no action is being taken leadership either doesn't understand the problem or doesn't think it important.

Write threatening letters

[nemesisrocks]

I'm in a similar situation: I create a unique email address for each company I deal with, and each website I register on.

The only solution I've found to be the most effective is sending these companies threatening letters. Quote them sections from their own privacy policy; usually there will be a clause about circumstances under which they will share your subscriber information. Tell them they've breached their own privacy policy, and whatever federal privacy legislation your country has in place. While you're at it, file a complaint with your country's Privacy Commissioner, or whatever the equivalent is.

Perhaps we need some sort of "name and shame" website for companies whose subscriber lists have been either breached or sold (e.g. Dell)

Public Shaming

[Jah-Wren Ryel]

It's practically impossible to get anyone to acknowledge something like that. From their perspective they just think you are yet another ass who thinks they know more about the internet than they really do.

I don't even bother any more. I get spam/malware it goes into the block list and I don't do business with the company anymore. If you really care about it, make it public. If you have a blog make an entry about it and hope it shows up in google. Or post the info here, if it gets modded up google will probably index it.

Once You Eliminate The Impossible...

[guttentag]

Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.
-Arthur Conan Doyle

Have you considered the probability that perhaps they meant to send you a virus? What sort of tools are these? The system administration tools, I mean, not the people who can't properly administer their systems but expect to help you administer yours.

Re:Is it fixed?

[Anonymous Coward]

Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it.

I was about to grab the pitchforks when I read this and thought it was actually a reasonable explanation. Mod parent up.

Re:Is it fixed?

[codegen]

Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

Maybe notify members of the list that the list has been compromised and they might be getting virus loaded emails?

Re:Depends...

[ssfire]

Yup. When I set up an account with Ameritrade, I initially created an email address ameritrade@mydomain.com. Then I started getting spam on it. But the spammers might have guessed that email address. So I created a new non-guessable email address ameritrade_29478763@mydomain.com. But then I started getting spam on that. So I notified Ameritrade. No response, so I closed my account. A few months later, there was a news item that a trojan running on the Ameritrade servers had compromised 6.3 million email addresses.

Re:Is it fixed?

[hedwards]

If they do acknowledge the problem, how would he know if it's fixed? Once the data is out there, it's out there. Acknowledging it is likely to be against the advice of the company's attorneys whether or not it really is their fault.

Re:Write threatening letters

[robbo]

+1. You have no reason to expect an acknowledgement if you just pass it 'up the food chain'. Put it in clear legalese and look forward to a reply from their lawyer. Most likely someone on the inside sold the list for chump change.

btw did you consider that maybe it's you that's compromised? 8-)

Re:Is it fixed?

[Zaelath]

I'd bet my left nut "a well-known provider of tools for the Systems Administration community" is Atlassian, and they claim there's no issue.

Re:Is it fixed?

[Mattcelt]

I had exactly the same issue as the OP this past week, but with a Fortune 1000 company whose business model revolves around collecting and selling information about people.

I contacted their information security department, and sent them the emails and headers at their request. I haven't heard from them since.

The problem is that not only did I get emails to an address that only that company has; my social security number was also in the emails. So whoever got the emails got much more personal information as well. It's clearly a case where the company should be disclosing that they had a breach. If they don't, I'm going public with what I've got.

These companies have a responsibility to the people whose information they hold.

Re:Is it fixed?

[Mattcelt]

I spoke with one of their InfoSec guys on the phone. They have my phone number, and they know that I know that my personal information was compromised. There's no excuse for not keeping me apprised, at the very least.

Re:Write threatening letters

[AK Marc]

Has there ever, in the history of the modern Internet, been a proven case of someone "sniffing" something from "the Internet" (defined for this to be beyond the first provider and not as a part of the last provider), aside from government nodes? You might as well be afraid that the aliens are reading your thoughts from orbit.