Skip to main content

Information security, and how not to do it

On the 21st of this month, I received an email from a company*, advertising their upcoming online seminar, and various other online courses they ran, including ones on the Data Protection Act, and information security.
Since I wasn't interested in their courses, and didn't remember signing up to receive any marketing materials from this company,  I clicked on the unsubscribe link. However, when the unsubscribe page opened, the name and email fields were already completed...and none of the information was mine.
In fact, the email address was for a Junior School in Portsmouth (edited version below).


This is not great, in terms of information security...you know, that thing they're running online courses on?
So, I replied to them within an hour, pointing out that the information in those fields was not mine, and they might want to do something about that.
To date, I've not received an acknowledgement of my email, or any form of response.
I was also not alone in receiving this email, and finding someone elses information in the form when following the unsubscribe link.

However, in the days since, the form the link leads to has changed....well, to be specific, the information viewable in the form has changed. Yes, it's gone from being the contact details of the school in Portsmouth, to the address of a private school yesterday, and today, one for a university. The first two times, the emails were admin addresses, but the university address is the work email of an individual, with their proper name in it (instead of, as above "No" and "Thanks" being the name).

Now, mistakes happen, and making a link to a form that shows the details of the last person who's used it was probably an accident. But this is not how you deal with it.

What would I have done if this had been my mistake?

  • When I got the email pointing it out, I would have responded to the person contacting me, apologising for the issue, and thanking them for bringing it to my attention
  • I would have deactivated the link immediately
  • I would have got whatever glitch it is that's preserving the last page user information fixed
  • Once that was done, I would have emailed everyone that had received the previous email, apologising for the issue, and telling them that the unsubscribe link was now secure and anonymous
This company has done none of that. Allowing anyone to view names and email addresses of strangers is not as serious as sharing work or home addresses, or more sensitive personal information, but this is a company which is running a business specifically selling training on data protection, and information security. Hands up who'd feel confident about using their training, if this is how they put it into practice?

*I have not named the company here, but contact me directly if you would like to know who it is.
Labels:

Comments

Michael said…
I believe it's known as the "easy come, easy go" approach to data security.

It's commonly practiced by most high street banks I gather! ;-)
19 October 2012 at 16:44
Post a Comment

Popular posts from this blog

What's in a name?

In the case of this blog, it's a name that had no particular thought or planning behind it - I had no idea whether I would actually want to keep it going, what I would blog about, or that anyone would ever read it. Well, it's almost 4 years later (17th June 2007 is blog birthday, if we're counting), and the blog's still here, so I think we can now safely assume that it's probably going to be sticking around. And the name's been getting on my nerves a bit...you have no idea the amount of people who have found this blog looking for ladies called Jennie Law or Jenny Law. Personally, I'm not actually called Jennie Law, so I'm no help to these poor searchers, although for the right fee I could maybe consider pretending to be... I also don't blog a huge amount about law: I'm not a lawyer, I just have the job of finding stuff for lawyers. Sometimes that process amuses me, sometimes it annoys me, and I blog about it. Sometimes I write about library is
9 comments
Read more

cpd23 Week One - Blogging

So, week one of cpd23 begins, and participants are asked to set up a blog, if they don't already have one. Well, I've had this blog (in it's previous incarnation as "Jennie Law" for four years, so I think I'm good for the "setting up and getting used to blogging" part of Thing One :) I set this blog up originally as just somewhere to share the interesting things I found around the internet, with no real expectation of many others finding or reading it (and hence very little thought about a good name). At the time, there were only one or two other law librarians that I knew of blogging, so it didn't seem like it would be something long term, but for that moment, it felt good to be able to share some random thoughts with other law librarians, and to be able to learn from their blogs. I've stuck with it, despite a few periods of thinking "I've got nothing to say!" (and then finding a month or so later that I suddenly had a flood
4 comments
Read more

Where are the UK Librarian blogs?

In response to various posts wondering about the strange lack of UK library / librarian blogs, I thought I’d have a look for myself to see where they’re all hiding. I did a search on Google Blogs, just using the words “ uk ” and “librarian”, and looked for posts published ‘anytime’, which gave me 24 pages of blog listings. This included spam blogs, duplicate postings, and various sites including ‘ uk ’ in the text of a link they’d posted. I learned a few things in the process. Lots of blogs post occasionally about librarians, without necessarily being written by librarians. If a blogger doesn't fill out their location information, it can be quite hard to work out where they're based without having to read a few posts and look for cultural references. “ UK ” also means "University of Kentucky ” ( See? ). There are quite a few interesting English language library bloggers, but they're not on this list 'cos they ain't in the UK. There really doesn’t
10 comments
Read more