by Sebastien Lahtinen
The recent stories in the media
of marketing firm Epsilon has brought into sharp focus the problems associated with managing user data, as well as the fact most users simply do not know where their data is stored. Whilst I am disappointed that such a breach has occurred, no system administrator is going to give a guarantee it cannot happen to them, and every sysadmin I have spoken to about these types of issues is always worried they may be next.
Spam from Barbara Cook t/a Towelsoft to e-mail address provided originally only to Vodafone UK
Over 1,000 thinkbroadband users have given us e-mail addresses that are clearly unique to us (for example email@example.com – although something a bit less predictable is better) and I would highly encourage it, and it’s exactly what I do with many suppliers so that I can track who is abusing my personal data by distributing it to third parties, despite the fact I tick all the ‘opt-out’ boxes.
I contacted Vodafone about this within three hours of receiving the e-mail to assist them in tracing how it was possible that an e-mail address I had only ever provided to them, ended up being spammed by a third party. I explained the situation and asked to speak to someone who would be able to look into the matter.
“I don’t know how that would happen especially with a company selling bath sheets. I’ve never given my address to anyone but I get spam .. I get spammed a lot. Anyone can get your e-mail address no matter what it is. I don’t know how those companies do it. That’s definitely not information we would give out.”
I was explicit in trying to make it clear this wasn’t a random spam: ”This e-mail address I have given to you is specific to Vodafone. I have never given it to anyone else. It’s not a generic e-mail address that’s on my business card or that I put into random websites. The only company I have ever given this e-mail address to is Vodafone.”
The operator then advised me that I would have to get in touch with head office, but when asked for a number, told me that I couldn’t call them and would have to send a letter.
I cannot say with certainty that it is impossible that someone may have obtained the e-mail address from my system or some other way, but I find that highly unlikely, not least because it would not make sense to spam that address and only that address.
I am of course concerned about what appears to be a data compromise, but even more alarmed by the fact that this did not raise concerns within Vodafone.
I thought long and hard about whether to write this article and whether to name Vodafone, but after years of being a customer, I am quite astounded by the lack of a security mindset especially as I have mentioned this to two different Vodafone representatives. A novice in social engineering could defeat many of the security steps in place, and at least cause inconvenience if not significant damage.
We live in a world where private investigators are hacking into voicemails, and yet warning signs are not acted upon quickly. Having since seen the Epsilon stories, I do wonder if Vodafone are an Epsilon customer, or whether this is just another similar case. I hope at least this article will raise awareness of this issue and encourage companies to put in place systems to handle such reports.