Who’s Playing with my Data?

Is it safe?My privacy, your privacy are key requirements in our (online) life! Nobody enjoys seeing personal data used by unauthorized people. Let me tell you a story that happened to me today. I visited the website of a well-known vendor to grab some information about its products. When you’d like to access more information like a white-paper, documentation or a live demo, you are often redirected to a very nice form asking you hundreds of personal data. That’s part of the game. Even if, personally, I hate this! Most of the time, I just press the “back” button of my browser or close the tab. After all, looking for some information does not mean that I’m ready to meet the vendor or to be hunt by their sales force! I respect sales people, they have to do a job not always easy but… DON’T BUG ME!

Back to my today’ story. I really needed the precious documentation. Forced to follow the procedure, I filled and submitted the online form. Of course, I never disclose my personal data. Usually I use the one of the Privacy Commission in Brussels:

Jean Dupont
Commission for the Protection of Privacy
Rue Haute, 139
1000 Brussels, Belgium
+32 (0)2 213 85 40

And to protect my e-mail, I use guerrillamail.com which provides temporary e-mail addresses. Some vendors are nasty and refuse disposable e-mail addresses but it remains unusual (hopefully for us). Back to the GuerrillaMail interface, I received the confirmation but also a strange message: (Note: Information has of course be anonymized)

  Undelivered mail
  From: postmaster@webagency.com, To: ucqczlqd@sharklasers.com, Date 2011-12-14 12:32:04
  An error was detected while processing the enclosed message.  A list of
  the affected recipient follows.   This list is in a special format that
  allows software like LISTSERV to automatically take action on incorrect
  addresses; you can safely ignore the numeric codes.

  --> Error description:
  Error-for:  johndoe@webagency.com
  Error-Code: 3
  Error-Text: Mailer server.webagency.com said:
              "550 5.1.1 <johndoe@webagency.com> User unknown; rejecting"
  Error-End:  One error reported.
  ------------------------------ Original message ------------------------------
  Received: from AspEmail (server.webagency.com) by server.webagency.com
  (LSMTP for Windows NT v1.1b) with SMTP id <0.00018EAA@server.webagency.com>;
  Wed, 14 Dec 2011 7:32:02 -0500
  From: <ucqczlqd@sharklasers.com>
  To: sales@vendor.com,johndoe@webagency.com
  Subject: VendorName - Request a Demo
  Date: Wed, 14 Dec 2011 07:32:02 -0500
  MIME-Version: 1.0

  The following information has been submitted:

  First Name:         Jean
  Last Name:          Dupont
  Company:            Commission for the Protection of Privacy
  Title:              N/A
  Email:              ucqczlqd@sharklasers.com

  Phone:              +32 (0)2 213 85 40
  State:              Brussels
  Country:            Belgium

  Comments:           Don't bug me!

  Referral Info:
  Refering URL:   http://www.vendor.com/
  Landing Page:   /a/very/long/path/to/more/vendor/information/index.asp

Of course, It was very tempting to google for the email address which generated the non-delivery error message. I found the guy! He worked for “webagency.com” as a “Search Marketing Specialist” (Just his title already scares me!) and left seven months ago. I’m wondering why this guy configured the script to send a copy of all visitors information to his mailbox? What can we learn from this story?

  • From a visitor point of view, don’t trust the website you’re visiting. Even if they belong to well-known or big players, information can be accessed by third parties. Most websites are developed and hosted outside the company (and outside controls!)
  • From a company point of view, manage properly the departure of people. When someone leaves the company, lot of organizations simply close the e-mail account. The right way is to redirect the mailbox to a manager or a direct colleague who will be able to process the new incoming mails. This way, the problem reported above should have been detected and fixed.
  • Implement code review and strong software development rules. If the data was sent to a second e-mail address for debugging purpose or during a test phase, why leave it active for months?
  • Depending on your business, this could have huge compliance impacts! (Note: sensitive information should never been sent via e-mail!)
  • Implement SoD (“Separation of Duties“) to ensure that tasks are properly handled. Developers cannot implement backdoors or add unexpected functions in their code.

Now, you will understand why you receive spam even if you manage your e-mail addresses properly! Stay safe!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.