Astroglide, which was notified last week of a data breach compromising more than 260,000 records of people who ordered free samples of its products, has taken down its page for ordering the free samples and removed the last of the records from its Web site.
On Saturday we informed you — and apparently scooped everyone — that Astroglide had inadvertently published names, email and shipping addresses for tens of thousands of customers who had ordered free samples from 2003 through the present. While the company had removed most of the records from its Web site and made changes to its robots.txt file, it had left a spreadsheet containing 4,529 records online and available for download as of publication time Saturday. That last file has been removed as of Monday.
Ryan Singel at Wired News gathered a few more details Monday about the breach, but he also was unable to reach anyone at Biofilm, Inc., the company which manufactures Astroglide. Apparently they’re closed on Mondays.
Someone’s at work, however; the company did temporarily disable the free sample online order form.
The files indexed by Google contain a total of 263,822 listings, each of which included a name and mailing addresses. No financial information was exposed. A random sampling included privacy conscious entries such as Current Resident and clearly fake entries for President George W. Bush and former Republican Senator Rick Santorum. Possibly less humorous are the tens of thousands of entries from people who used their real names. These included included doctors, programmers, students and a vice chancellor for a prestigious American university. . . .
Anyone searching Google on the affected names would be able to find links to Astroglide customer files that Google indexed on April 3. . . .
The company’s website makes no mention of the data security lapse, and it’s unclear if the company has asked Google to remove the files. THREAT LEVEL reported the cached files to Google before publication. — Threat Level
Those fake entries for George Bush actually gave the address of the White House, and a sample was ordered at least twice for the President. Perhaps one of you in the White House press corps might make a few discreet inquiries and find out what happened to them? (Nobody seemed to have ordered any for Dick Cheney. But perhaps W can give him one of his samples?)
Out of respect for privacy, I haven’t attempted to contact any of the people individually who were affected by the breach. While for an ordinary data breach I might consider this, many people might not wish it generally known that they had ordered these sorts of products.
Under our existing system, what’s the worst that can happen to Astroglide? The FTC might hit them with a fine or they might require (expensive) auditing. Clearly that would not be good financially for Astroglide, but what about the people who might be affected? Under most laws, they have absolutely no legal recourse against Astroglide if they cannot demonstrate financial harm. No compensation for embarrassment. No compensation for the fear experienced by any woman who may now live in fear of a stalker or an abusive spouse finding out her address. Do I know that any of this will or has happened? Of course not. But it could, and until we pay more attention to the human consequences of breaches, we will continue to miss what I think is the more important impact of breaches — their nonfinancial impact. — Chronicles of Dissent
Now, how about those Google cached entries, which are all still there as of right now?
Facebook
Digg
del.icio.us
reddit.com
Newsvine
Loading ...
3 Trackbacks/Pingbacks
April 24, 2007 12:56 am
April 25, 2007 11:18 pm
April 27, 2007 5:04 pm
9 Comments
Nice job scooping the world.
Names and addresses submitted voluntarily to a roster is not a data breach, Mike. For someone that is supposed to preach personal responsibility, why are you blaming a company for what its customers voluntarily submitted? Users that submit anything to a non-encrypted site pass that data in clear text over the internets. They should know that they are submitting it in clear text.
Hey, I’ll bird dog another big “scoop” for you. Online petitions. Those are full of names and addresses too. Quick, say its a “data breach,” and write a story on it.
Oh, and here’s another big, big scoop for you. Its a website called “bigbook.com” If you type in any zip code and the first letters of any last name, you get the entries of everyone who has a listed number! OMG! Another data breach!
@BelchSpeak;
Your logic and examples are flawed.
People signing petitions actively and intentionally sign their data for record/viewing purposes, not necessarily only for a single party.
And, you can become unlisted in the phone book.
I would be willing to wager that Biofilm’s Privacy Policy (with regard at least to requesting the free sample) does not state “your information will be made available to the free public, by submitting this order form you agree to these terms”. I’m sure it says exactly the opposite, perhaps the only ‘data availability’ would be to relevant marketing by reputable 3rd parties/business partners or some such.
If I’m wrong, then these people don’t have a case, but I don’t believe that to be how things are.
Submitting a private request is an entirely different world than a public signing (petitions, etc.), and a web accessible archive of that data could not possibly have been the intention of Biofilm.
BelchSpeak – I think you’re a little wrong here. No, you’re just wrong.
When you publicly list your information like a phone number, or publicly sign a petition, you know that it will be published online. Nobody would sign up for lube if it meant their private information was going to be shared online. Their privacy policy – and yes, people do read these – directly states against this.
Sorry, there is indeed no difference between signing online petitions with your name and address and signing up for a free sample of a product without using an encrypted connection.
Both are transmitted in clear text over many disparate networks before appearing on a website, and such information is recorded by security devices along the way.
Individual users asking for a free sample of a product know the difference between an encrypted and unencrypted website. And if they don’t, they assume the risk. It is not the fault of the company who ran the website.
For those that don’t know the difference:
The url begins with https://
Also, a little padlock should appear in the browser’s tray.
Also, the site’s certificate should be signed by a certificate authority.
If this criteria is not met and someone types in their personal information, they have no right to act surprised if it is not protected. This is basic intenet usage and it goes back 15 years. To pretend that this type of data collection should be carefully guarded is preposterous.
Its just funny because its astroglide.
Whether the site is encrypted or not has nothing to do with whether the web site operator makes reports of submitted data and publishes them on the web site. This is what they did. If you’ve been around 15 years, you should know this.
Not to mention that the FTC has fined other companies in the past for promising to protect data and then exposing PII on the web.
There’s nothing that required the company to retain those files on a public server for 4 years. They could have retained them offline.
In any event, their privacy policy gave assurances that they did not live up to and I view them as being responsible.
Thank you two for backing me up. I hope anyone who uses the internet knows the difference between an encrypted site an an unencrypted one. I don’t much care that someone else on my home network can sniff out what I’m doing, and there’s far too much internet traffic for anyone except the government’s little watchdogs at AT&T to catch it en route. That doesn’t mean it’s going to be stored at a later date for anyone with an internet connection to easily find.
Anyway, a claim with the FTC has already been filed. There really was no reason to store this data on even the same computer as their site, nevermind in a directory served by their web server.
Danielle: please keep us all updated on what happens with the FTC complaint.
I wrote to BioFilm to ask if they were going to issue a press release or statement on this incident. I’m somewhat surprised that they have not done so already.
Post a Comment