Has Carbonite had a privacy breach? I'm getting spam.

Spam! (freezelight@Flickr)

Oh ****, where's all this spam coming from? It looks like Carbonite, Inc. has been giving out customers' personal information. The company's admitted giving my email address to a third party, despite promising that it wouldn't. Should you be worried? Let's take The Long View...

Like many anti-spam wonks, I don't give out my email address to just anyone. Instead, when I need to register for something, I make up a unique email address. That unique address is aliased to my real email account, but can be switched off if the sender turns out to be a spammer. Similarly, if I start receiving spam to that email alias, I can tell which organization leaked or sold my details, because the alias is uniquely tied to that organization. And so it came to pass that I started getting spam to an alias I gave to Carbonite. Note that this wasn't spam from Carbonite, but from several unrelated organizations. It would appear that Carbonite has either sold my personal details, or has had a security breach. Either possibility is nasty, particularly for a company that we're supposed to trust with our data -- in case you're not familiar with Carbonite, it's an online backup service! If the company sold my details, this is in direct contravention of its privacy policy:

Carbonite will not sell your personal information to third parties. ... Carbonite will not disclose your personal information...to third parties unless disclosure is necessary to comply with law.

I asked Carbonite what was going on. The company responded with a dry drawer statement:

Carbonite has discovered an advertiser misappropriated our e-mail list during the process of one of our e-mail marketing campaigns. When Carbonite launches an e-mail marketing campaign, it provides a suppression list to e-mail advertisers so that Carbonite customers do not receive promotion emails from Carbonite (since they’re already customers) and importantly, so that people who have opted out of receiving emails from Carbonite do not receive future email from us. This list was mishandled by an advertiser and we have taken immediate remedial efforts. As an online backup company, the security and privacy of our customer data is our top priority. We take all matters related to privacy very seriously. The matter will be addressed privately with the involved third parties and we will ensure that all customer e-mail addresses are permanently removed from their database.

TL;DR: Carbonite disclosed Carbonite customers' personal information to a third party. It did so in contravention of its privacy policy. The story the company's giving out tells me clearly that "the security and privacy of its customer data" is not its "top priority," and that it doesn't "take all matters related to privacy very seriously." But, Carbonite would no doubt reply, the advertiser is simply a contractor -- not really a "3rd party." It's necessary for it to give out customers' email addresses, so that people don't get inappropriate email, Carbonite would probably argue.

Horse feathers!

This is completely the wrong way around. What Carbonite should have done is to scrub the advertiser's list itself, rather than send our sensitive data to a third party.

If that wasn't possible, it should have arranged a way of matching the suppressed addresses using a one-way hash. That would have allowed the advertiser to remove Carbonite customer addresses from the list, without actually disclosing them.

Oh, lest we forget, this is the same online backup company that lost the backups of thousands of its customers, while denying any data were lost, despite reports from customers who said they had (ahem) lost data. Carbonite later admitted that 54 customers were affected, while thousands of others had to re-upload their data. It's also the company whose VP of marketing was caught red-handed posting astroturf-positive reviews on Amazon, along with other Carbonite employees. When the news broke, the company denied it had sanctioned the phony reviews. So I guess this is Strike Three. Why should anyone trust Carbonite, Inc. ever again?  

Would you trust Carbonite? Leave a comment below...

[If you're at all affiliated to Carbonite, please make that clear. I especially invite CEO David Friend to exercise his right of reply; but please, no anonymous PR drawer statements.] 

Update: Dave Friend blogs his reaction...

I am pretty angry about what happened. We broke our hard and fast rule about the privacy of our customers’ email addresses. So I owe any customers impacted by this an apology and a full explanation.
[We] use a supposedly trustworthy email forwarder to communicate subscription-related information to our customers.
[C]ustomers’ personal information was not compromised in any way.

Riiight. As predicted, mea-culpa #3 from Mr. Friend. Except that the "trusted" email service provider is actually a known spam-friendly company. I'm not ready to name names just yet -- not until I've gathered more evidence -- but it it's reasonably clear to me which company Friend is talking about here.

If he's serious that he thought this company could be "trusted" he's naive as heck.

Also, this account differs significantly from that provided by the anonymous company spokesperson earlier. So which is it: the stupid trusting of a known spammer, or the even-stupider suppression-list explanation?

Richi Jennings, blogger at large

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. As well as The Long View, he's also the creator and main author of Computerworld's IT Blogwatch -- for which he has won American Society of Business Publication Editors and Jesse H. Neal awards on behalf of IDG Enterprise. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: TLV@richij.com. You can also read Richi's full profile and disclosure of his industry affiliations.

Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon