Skip to main content

Information security, and how not to do it

On the 21st of this month, I received an email from a company*, advertising their upcoming online seminar, and various other online courses they ran, including ones on the Data Protection Act, and information security.
Since I wasn't interested in their courses, and didn't remember signing up to receive any marketing materials from this company,  I clicked on the unsubscribe link. However, when the unsubscribe page opened, the name and email fields were already completed...and none of the information was mine.
In fact, the email address was for a Junior School in Portsmouth (edited version below).


This is not great, in terms of information security...you know, that thing they're running online courses on?
So, I replied to them within an hour, pointing out that the information in those fields was not mine, and they might want to do something about that.
To date, I've not received an acknowledgement of my email, or any form of response.
I was also not alone in receiving this email, and finding someone elses information in the form when following the unsubscribe link.

However, in the days since, the form the link leads to has changed....well, to be specific, the information viewable in the form has changed. Yes, it's gone from being the contact details of the school in Portsmouth, to the address of a private school yesterday, and today, one for a university. The first two times, the emails were admin addresses, but the university address is the work email of an individual, with their proper name in it (instead of, as above "No" and "Thanks" being the name).

Now, mistakes happen, and making a link to a form that shows the details of the last person who's used it was probably an accident. But this is not how you deal with it.

What would I have done if this had been my mistake?

  • When I got the email pointing it out, I would have responded to the person contacting me, apologising for the issue, and thanking them for bringing it to my attention
  • I would have deactivated the link immediately
  • I would have got whatever glitch it is that's preserving the last page user information fixed
  • Once that was done, I would have emailed everyone that had received the previous email, apologising for the issue, and telling them that the unsubscribe link was now secure and anonymous
This company has done none of that. Allowing anyone to view names and email addresses of strangers is not as serious as sharing work or home addresses, or more sensitive personal information, but this is a company which is running a business specifically selling training on data protection, and information security. Hands up who'd feel confident about using their training, if this is how they put it into practice?

*I have not named the company here, but contact me directly if you would like to know who it is.

Comments

Michael said…
I believe it's known as the "easy come, easy go" approach to data security.

It's commonly practiced by most high street banks I gather! ;-)

Popular posts from this blog

Relaunching a library service

What do you do when you decide to do what is verging on library-based insanity, and basically scrap your current library service, and relaunch everything - physical layout, LMS, and classification system? In my case, spend a year, planning, developing, preparing….and then a frantic few weeks hauling stock!
The background to this apparent madness is this: when I took on this role I inherited a library using a layout that didn’t seem to make sense, a classification system I wasn’t familiar with, and an LMS that had been in place for 20 years but didn’t seem suited to our needs. As I was new to the library, a major part of the time I had available while settling in during my initial few months was dedicated to exploring how well these things were working, both for users, and library staff. I had the benefit of my colleague also being new to the library, only a few months after me, so together we looked at these issues with fresh eyes.We came to the following conclusions: The physical layou…

Impressive shelving technique

I have a new role model: the shelving technique demonstrated between 12 and 18 seconds by the librarian in this Lucozade video is something to aspire to! :D


Too close to the problem to see the achievements

Sometimes, you have so much to do, that you can't see what you've actually done. I'm feeling very much that way at the moment, so I thought I'd make a public list for myself of all the work and professional things I've done since taking up my role in mid January. Then maybe I'll feel less like I'm just not very good at anything. It's worth a try. Although for obvious reasons, I can't publicly say much about the baddest/hardest stuff, but...it's in there. Maybe it's not explicit about how hard it's been, but it's there.

So: what have I done?


Service management and development

Replaced someone who ran the library for 21 years, who retired 3 months before I started, and gave me no handover information.Got 6 weeks of company/training on the library from an assistant, who then retired, leaving me as the only person in the organisation who knew anything about how the library actually worked.Done the assistant librarian and librarian job simu…