Data Breaches and Email List Data Theft

In a comment on another blog, Neil Schwartzman reminded readers that the recent theft of email list data from Aweber wasn't the first time in history that spammers stole email addresses from a service provider. As he points out, something similar happened to Lyris' Sparklist service back in 2002. He also pointed out that convicted felon Jason Smathers stole 30,000,000 addresses from AOL in 2003. The Ameritrade data leak from a few years ago comes to mind, as well. In that case, it may have been an ongoing issue from 2005 through 2007. Yuck.

In 2006, email marketer Datran settled with the New York Attorney General over allegations of misuse of email list and/or subscriber profile data. On that issue, Fox News reported that "Spitzer accused Datran of knowing of the companies' pledges [never to share data with a third party], but [that Datran, as a third party, was] spamming those consumers with unsolicited e-mails anyway, advertising discount drugs, diet pills and other products. [...] Spitzer's staff said they believe it is the largest deliberate breach of Internet privacy discovered by U.S. authorities."

It strikes me that perhaps the Aweber breach wasn't quite the "largest data breach in email marketing history" as suggested elsewhere.

On a semi-related note, this Chronology of Data Breaches, published by the Privacy Rights Clearinghouse, is very interesting. Maybe somebody needs to start something similar for email-specific data breaches? Sadly, there may have been enough of them by this point to warrant a standalone time line.

2 comments:

Steve said...

I've been asked to investigate 4 or 5 email privacy breaches that were never made public, but where the owner of the lists considered the breach serious enough to bring in a third party to investigate. Mostly subcontractors or employees thereof stealing addresses, as far as I could tell without getting LEO involved.

And I'm aware, based on using tagged addresses for most everything since the early 90s of dozens of other data breaches - maybe minor, maybe major, there's no way to tell. At least one of those breaches included theft of both the email addresses and credit card numbers associated with orders, presumably via compromise or theft at the shopping cart provider.

I suspect that data breaches are pretty common, maybe even the norm, and the vast majority aren't reported or even noticed.

There's a lot of it out there.

Spamfighter said...

Al,

My comments (and yours) noting Aweber not being the biggest breach ever were removed (some might say "CENSORED") by the owner of the linked blog. I have subsequently removed all of my posts and deleted my account from said blog.

I didn't take kindly to the largest 'whitewash of history' in history.

;-)