PGP irritated its security conscious customers on Tuesday by making the schoolboy error of sending out an email marketing message to a list of around 300 recipients without using the bcc field. As a result of the slip-up, all the recipients of the marketing email (extract below) learned the email addresses of other potential …
Some new boy put in front of a PC and told to get on with it.
Most organisations don't train their staff properly.
Bad PGP! Naughty!
There's a sex shop in Soho that also did this recently. Instead of apologising to its customers, they ignored all emails to them about it. Great (lack of) customer service.
And no, I'm not a customer of that shop, my, ahem, friend is.
Paris because, well, she invented sex shops, didn't she?
Somebody did this where I work, bypassing established marketing email procedures through laziness.
They were promptly shown the door. Even for a small mailshot of a few hundred, there's no excuse for using Outlook, let alone forgetting to tick the right boxes.
Email's a dangerous thing - I insist all criteria are triple checked before sending a bulk email.
CC and BCC should not be a choice when sending a group email -- the software should be configured so that mass-email CC is impossible.
A couple of weeks ago...
... I received an e-mail from from Argos plugging their "Spring Blowout Sale", but someone obviously hasn't comprehended the idea of BCC, because it has over one thousand, three hundred e-mail addresses clearly visible in the "To" field!
Those email addresses should have been in a database. There should have been a method for mass emailing people in said database (web form?). Nobody other than the techies maintaining that database should have direct access to the list of email addresses.
Maybe the guys at PGP don't care about protecting their customers personal data. Even people *within* the company should be prevented from accessing customer data that they don't *need* access to.
someone needs to be fired for this
that is all
Isn't this against dataprotection laws?
Paris, as she knows all about being unwittingly exposed.
Something like this happened...
...with a company my dad had inquired with regarding some engineering app or another. It resulted in an utter uproar of pissed off engineers firing messages back and forth: somehow, all mails back to the company, even without 'reply all', got cc'd to the original list.
So the first round involved indignant responses to the company; the second involved angry rejoinders from people who got the first round and thought it was the fault of the first responders; the third involved both the peanut gallery submitting wry comments and others yelling for everybody else to STOP SENDING EMAILS ALREADY...
Apparently it was a pretty fun day.
We are very sorry about this
and are doing what we can. I have posted a comment at:
Never fails to amaze me that...
...ISPs and most commercial mail server implementations don't have a limit on the number of addresses in the TO/CC field (e.g., more than 200 and it bounces back saying "please use BCC" or something.
Employee of the Month
So, Homer Simpson now works for PGP !
I was going to come in flaming, but then I saw this. The CSO fessing up in near real time and blogging it too. You don't see that very often these days.
Paris because she knows all about full disclosure...
I've had worse from BladeRunner
I forgot about this when I posted:
First they left their web-based marketing database exposed to Google long enough for it to be cached for a few weeks (I know this because I google my email address now and again). They never replied to my email when I let them know either.
Then, to add insult to injury, they sent out a bulk email with everyone's name in the To... Field.
Mine's the hoodie with the Kevlar lining.
@We are very sorry about this
Don't fire whoever it was. Everyone makes mistakes.
The problem with security
is that 30 sigma reliability isn't enough to stop these things from happening.
PGP email marketing gaffe creates message storm
As one of the people who received this email,to say I'm NOT amused is putting it mildly.A security company that seems to have no idea about security.................. it's a joke!
@ Jon Callas.....
Maybe you should change the company name to PPP (Piss poor privacy), then your customers couldn't complain.
Gizza job fella! My marketing skills are outstanding.....
"Trouble getting your name known? Sick of the pay-per-click advert costs? Use PPP, and then everyone will know your business!"
Mine's the one with the CV in the pocket.
@ Jon Callas
First of all, may I say I am impressed with your speedy and honorable response to the matter.
It's rare indeed that we see such candidness.
Secondly, I would like to say this might be an embarresing incident for yourselves, dashed with more than a little irony, but that I have seen much, much worse gaffes, from organisations and individuals who should have known much better.
At least it was only a harmless marketing email. Anyone got the latest tally from the MOD?
290 email addresses Vs 600,000 peoples passport details, NI numbers, family details, medical records...