Astroglide tries to plug 260,000 customer data leak

Astroglide, which was notified last week of a data breach compromising more than 260,000 records of people who ordered free samples of its products, has taken down its page for ordering the free samples and removed the last of the records from its Web site.

On Saturday we informed you — and apparently scooped everyone — that Astroglide had inadvertently published names, email and shipping addresses for tens of thousands of customers who had ordered free samples from 2003 through the present. While the company had removed most of the records from its Web site and made changes to its robots.txt file, it had left a spreadsheet containing 4,529 records online and available for download as of publication time Saturday. That last file has been removed as of Monday.

Ryan Singel at Wired News gathered a few more details Monday about the breach, but he also was unable to reach anyone at Biofilm, Inc., the company which manufactures Astroglide. Apparently they’re closed on Mondays.

Someone’s at work, however; the company did temporarily disable the free sample online order form.

The files indexed by Google contain a total of 263,822 listings, each of which included a name and mailing addresses. No financial information was exposed. A random sampling included privacy conscious entries such as Current Resident and clearly fake entries for President George W. Bush and former Republican Senator Rick Santorum. Possibly less humorous are the tens of thousands of entries from people who used their real names. These included included doctors, programmers, students and a vice chancellor for a prestigious American university. . . .

Anyone searching Google on the affected names would be able to find links to Astroglide customer files that Google indexed on April 3. . . .

The company’s website makes no mention of the data security lapse, and it’s unclear if the company has asked Google to remove the files. THREAT LEVEL reported the cached files to Google before publication. — Threat Level

Those fake entries for George Bush actually gave the address of the White House, and a sample was ordered at least twice for the President. Perhaps one of you in the White House press corps might make a few discreet inquiries and find out what happened to them? (Nobody seemed to have ordered any for Dick Cheney. But perhaps W can give him one of his samples?)

Out of respect for privacy, I haven’t attempted to contact any of the people individually who were affected by the breach. While for an ordinary data breach I might consider this, many people might not wish it generally known that they had ordered these sorts of products.

Under our existing system, what’s the worst that can happen to Astroglide? The FTC might hit them with a fine or they might require (expensive) auditing. Clearly that would not be good financially for Astroglide, but what about the people who might be affected? Under most laws, they have absolutely no legal recourse against Astroglide if they cannot demonstrate financial harm. No compensation for embarrassment. No compensation for the fear experienced by any woman who may now live in fear of a stalker or an abusive spouse finding out her address. Do I know that any of this will or has happened? Of course not. But it could, and until we pay more attention to the human consequences of breaches, we will continue to miss what I think is the more important impact of breaches — their nonfinancial impact. — Chronicles of Dissent

Now, how about those Google cached entries, which are all still there as of right now?

One thought on “Astroglide tries to plug 260,000 customer data leak

  • April 25, 2007 at 7:59 pm
    Permalink

    Danielle: please keep us all updated on what happens with the FTC complaint.

    I wrote to BioFilm to ask if they were going to issue a press release or statement on this incident. I’m somewhat surprised that they have not done so already.

Comments are closed.