ID theft might have been preferrable to this…
Somewhat like a broken record, I’ve often bitched complained noted that reports or analyses of breaches seem to just pay lip service to the human or emotional cost of data breaches. The nonquantifiable consequences of breaches often get short shrift not only in reports or analyses of breaches, but in proposed legislation that fails to provide individuals with any individual cause of action and that fails to bar covered entitites from uploading files containing publicly identifiable information to public servers.
The Astroglide breach report by Michael Hampton highlights the potential human consequences that are all too often ignored. As he reports, the names, email addresses, and shipping addresses of thousands of consumers who had requested free samples were revealed on the web — sorted by the product. No financial data were compromised, but:
…. aside from the thousands of records remaining in Google’s cache, a spreadsheet containing 4,529 records of people who ordered the company’s Silken Secret vaginal moisturizer product remains on Astroglide’s web site, available for download by anyone. Out of these records, 4,055 were identified as female, 472 identified as male, and two had no gender listed.
Apart from the spreadsheet file, there are dozens of files with names and addresses still also available in Google’s cache. So no financial data, but now a lot of people might be embarrassed to have friends, partners, or colleagues learn that they had ordered a vaginal moisturizer. Or maybe someone’s spouse or partner will suddenly become suspicious about why the person would be ordering a sample of this product. Or maybe some stalker can now locate the address of his victim or a battered woman who tried to hide from an abusive spouse may find her address hasn’t really been secret.
Under our existing system, what’s the worst that can happen to Astroglide? The FTC might hit them with a fine or they might require (expensive) auditing. Clearly that would not be good financially for Astroglide, but what about the people who might be affected? Under most laws, they have absolutely no legal recourse against Astroglide if they cannot demonstrate financial harm. No compensation for embarrassment. No compensation for the fear experienced by any woman who may now live in fear of a stalker or an abusive spouse finding out her address. Do I know that any of this will or has happened? Of course not. But it could, and until we pay more attention to the human consequences of breaches, we will continue to miss what I think is the more important impact of breaches — their nonfinancial impact.
There are at least 100 files in Google’s cache. I stopped counting after page 20 of search results…
I did a quick search to verify your report before citing it here, and yes, it’s pretty bad. There are 20 cached pages from 2006 each appearing to contain around 200 or more consumer records each, about the same for 2005, and somewhat less for 2004 and 2003. Not a pretty picture.
I just sent out job applications to several tech companies, who will undoubtedly do a little internet background check of me online. According to statistics, 1 out ouf 4 will not hire me based on what they find online, which is now the fact that I have my address listed on a lube customer list. Does that count as demonstration of financial harm?
Danielle:
If it could be demonstrated that that information led to the loss of job opportunity, I’d say “yes, it counts.”
Hopefully all cached copies of the files will be gone before anyone googles you for a job.
Best of luck.
maybe I don’t understand… availability of records is bad, but… embarrassed that people will know you ordered lube? What kind of puritan society do we live it? People have sex, and sometimes they use lube to do it! There’s nothing wrong with that, you act like “lube customers” are somehow questionable people… nonsense.
I don’t think anyone’s acting like “lube customers” are questionable people. I think we’re recognizing that: (1) some people would be embarrassed or upset at having this information about them made public, and (2) it doesn’t really matter to me what the item is — if a business says it will keep your details private and protected, then it should do so. Biofilm’s attempt to suggest that they were the victim of Google is ridiculous.