Skip to main content

Information security, and how not to do it

On the 21st of this month, I received an email from a company*, advertising their upcoming online seminar, and various other online courses they ran, including ones on the Data Protection Act, and information security.
Since I wasn't interested in their courses, and didn't remember signing up to receive any marketing materials from this company,  I clicked on the unsubscribe link. However, when the unsubscribe page opened, the name and email fields were already completed...and none of the information was mine.
In fact, the email address was for a Junior School in Portsmouth (edited version below).


This is not great, in terms of information security...you know, that thing they're running online courses on?
So, I replied to them within an hour, pointing out that the information in those fields was not mine, and they might want to do something about that.
To date, I've not received an acknowledgement of my email, or any form of response.
I was also not alone in receiving this email, and finding someone elses information in the form when following the unsubscribe link.

However, in the days since, the form the link leads to has changed....well, to be specific, the information viewable in the form has changed. Yes, it's gone from being the contact details of the school in Portsmouth, to the address of a private school yesterday, and today, one for a university. The first two times, the emails were admin addresses, but the university address is the work email of an individual, with their proper name in it (instead of, as above "No" and "Thanks" being the name).

Now, mistakes happen, and making a link to a form that shows the details of the last person who's used it was probably an accident. But this is not how you deal with it.

What would I have done if this had been my mistake?

  • When I got the email pointing it out, I would have responded to the person contacting me, apologising for the issue, and thanking them for bringing it to my attention
  • I would have deactivated the link immediately
  • I would have got whatever glitch it is that's preserving the last page user information fixed
  • Once that was done, I would have emailed everyone that had received the previous email, apologising for the issue, and telling them that the unsubscribe link was now secure and anonymous
This company has done none of that. Allowing anyone to view names and email addresses of strangers is not as serious as sharing work or home addresses, or more sensitive personal information, but this is a company which is running a business specifically selling training on data protection, and information security. Hands up who'd feel confident about using their training, if this is how they put it into practice?

*I have not named the company here, but contact me directly if you would like to know who it is.

Comments

Michael said…
I believe it's known as the "easy come, easy go" approach to data security.

It's commonly practiced by most high street banks I gather! ;-)

Popular posts from this blog

Careering along

When I look around at the activities of information professional groups, it seems that there’s a disparity. There’s quite often a lot of support and funding available for those who’re just starting out in the profession, but a desert of nothingness for those of us who’re “just getting on with it”. If you’re a new professional, you have lots of groups to support you as you progress in your early career, various prize funds available for essay and report writing, access to bursaries for conference attendance, eligibility for awards for being new and enthusiastic. But what do you get when you’re past that bright-eyed-and-bushy-tailed first 5 years (5 years seems to be the approximate cut-off point for becoming “established” and no longer new). What happens when you’ve already received a bursary from an organisation earlier in your career and so wouldn’t be eligible for one now, meaning you’re not able to attend events or training? When you’re heavily involved in a project but not at

What if you don't get back what you put in?

I am, as you may know, a member of CILIP, the professional body for information professionals. There are two main reasons I'm a member. I am a Chartered librarian, and I take my commitment to maintaining this visible badge of my professionalism seriously. I have revalidated my Chartership within the previous assessment system, and I have submitted my Revalidation within the new system. To continue being a Chartered librarian, I must be a member of CILIP (although currently the commitment to continue to revalidate my Chartership is voluntary, and has been so for the length of my membership since approximately 2001). So I continue to be a member. I am a registered CILIP Mentor, and I help to guide those information professionals who are keen to be professionally qualified through the Chartership/professional qualifications process. I could not abandon midway through that process the people who are looking to me for guidance in their professional development. So I continue to be

Losing the professionalism

So, recently, CILIP apparently sent out an email regarding a consultation on a change of brand image, and name. I say apparently, as despite being a member, I never got this email. When I went to the website to log in and check why it wasn't sent to me, it didn't let me log in. I tried a password reset, and that email came through, so it *can* send emails to me...but the password it sent won't let me log in. I’m losing the will to keep trying. Overall, this is kind of symptomatic of how I feel about CILIP, and how useless its IT systems are.... Anyway, the consultation is on changing CILIP’s currently, clunky and meaningless name (picked as the best of a previous bad lot, as David McMenemy showed with this link to the 2000 consultation results ) to something more meaningful and relevant is open. If you want to take part, it’s here . I was a good girl, and pootled over yesterday to take part, and after filling in all the bumph, I got to view the glorious options. Oh. My.