I wrote to BioFilm to ask if they were going to issue a press release or statement on this incident. I’m somewhat surprised that they have not done so already.

There’s nothing that required the company to retain those files on a public server for 4 years. They could have retained them offline.

In any event, their privacy policy gave assurances that they did not live up to and I view them as being responsible.

Both are transmitted in clear text over many disparate networks before appearing on a website, and such information is recorded by security devices along the way.

Individual users asking for a free sample of a product know the difference between an encrypted and unencrypted website. And if they don’t, they assume the risk. It is not the fault of the company who ran the website.

For those that don’t know the difference:
The url begins with https://
Also, a little padlock should appear in the browser’s tray.
Also, the site’s certificate should be signed by a certificate authority.

If this criteria is not met and someone types in their personal information, they have no right to act surprised if it is not protected. This is basic intenet usage and it goes back 15 years. To pretend that this type of data collection should be carefully guarded is preposterous.

Its just funny because its astroglide.

When you publicly list your information like a phone number, or publicly sign a petition, you know that it will be published online. Nobody would sign up for lube if it meant their private information was going to be shared online. Their privacy policy – and yes, people do read these – directly states against this.

Your logic and examples are flawed.
People signing petitions actively and intentionally sign their data for record/viewing purposes, not necessarily only for a single party.

And, you can become unlisted in the phone book.

I would be willing to wager that Biofilm’s Privacy Policy (with regard at least to requesting the free sample) does not state “your information will be made available to the free public, by submitting this order form you agree to these terms”. I’m sure it says exactly the opposite, perhaps the only ‘data availability’ would be to relevant marketing by reputable 3rd parties/business partners or some such.

If I’m wrong, then these people don’t have a case, but I don’t believe that to be how things are.

Submitting a private request is an entirely different world than a public signing (petitions, etc.), and a web accessible archive of that data could not possibly have been the intention of Biofilm.

Hey, I’ll bird dog another big “scoop” for you. Online petitions. Those are full of names and addresses too. Quick, say its a “data breach,” and write a story on it.

Oh, and here’s another big, big scoop for you. Its a website called “bigbook.com” If you type in any zip code and the first letters of any last name, you get the entries of everyone who has a listed number! OMG! Another data breach!