Richi Jennings writes what happened when he started getting spam at a tagged email address he had given only to Carbonite:
The company responded with a dry drawer statement:
Carbonite has discovered an advertiser misappropriated our e-mail list during the process of one of our e-mail marketing campaigns. When Carbonite launches an e-mail marketing campaign, it provides a suppression list to e-mail advertisers so that Carbonite customers do not receive promotion emails from Carbonite (since they’re already customers) and importantly, so that people who have opted out of receiving emails from Carbonite do not receive future email from us. This list was mishandled by an advertiser and we have taken immediate remedial efforts. As an online backup company, the security and privacy of our customer data is our top priority. We take all matters related to privacy very seriously. The matter will be addressed privately with the involved third parties and we will ensure that all customer e-mail addresses are permanently removed from their database.
TL;DR: Carbonite disclosed Carbonite customers’ personal information to a third party. It did so in contravention of its privacy policy.
The story the company’s giving out tells me clearly that “the security and privacy of its customer data” is not its “top priority,” and that it doesn’t “take all matters related to privacy very seriously.”
But, Carbonite would no doubt reply, the advertiser is simply a contractor — not really a “3rd party.” It’s necessary for it to give out customers’ email addresses, so that people don’t get inappropriate email, Carbonite would probably argue.
Horse feathers!
Read more on Computerworld.
Didn’t we see some of this after the Epsilon breach, when customers who had opted out of e-mails wound up getting breach notifications because their data were still on lists but tagged as suppress?