Forgot your password?
typodupeerror
Security IT

The Register Email Address Blunder 70

Posted by Unknown Lamer
from the flog-thyself-in-penance dept.
First time accepted submitter Tim99 writes "This morning I got an email from The Register informing me that they have sent 3,521 of their readers the names and e-mail addresses of 46,000 other readers. Considering their frequent rants about security this has got to be a major FAIL." El Reg writes: "Obviously, this was an error. The two-stage send process that is the norm for all of our mailers was over-looked because someone was in a hurry."
This discussion has been archived. No new comments can be posted.

The Register Email Address Blunder

Comments Filter:
  • by SpooForBrains (771537) on Tuesday October 25, 2011 @04:16AM (#37828848)
    "We are in the process of blowing the whistle on ourselves to the ICO over the matter."
    • by sethstorm (512897)

      Since the people at the ICO failed to act on our report, they have reported themselves for violations.

      (the original sanction against The Register will be given at great haste and expense) /python

    • by Mushdot (943219)

      We should be able to moderate submitters on accuracy of headline and summary. Tim99 obviously left out the bit about the ICO to make his FAIL point.

      • by Tim99 (984437) on Tuesday October 25, 2011 @07:13AM (#37829440)

        We should be able to moderate submitters on accuracy of headline and summary. Tim99 obviously left out the bit about the ICO to make his FAIL point.

        Bolting the stable door...

        I have been a reader and contributer to The Register for a number of years. During this time El Reg has been a consistent critic of organizations who leak data. This was carelessness. Yes they have contacted ICO, but, by their own standards, this is an epic FAIL.

        --Tim99

        • by Mushdot (943219)

          Thanks for replying. I agree this is something they should be panned for, especially as they are always taking other companies to task over the same mistake, but by owning up to it almost immediately and also reporting themselves to the ICO I feel they have at least done what they could under the circumstances and I think that should have been mentioned in the summary.

          Ok, maybe their hand was forced to admit the mistake due to three and a half thousand potential whistle blowers, but at least they did it and

        • by cHiphead (17854)

          Shit happens, at least they are up front about it when it happened to them.

          • by rvw (755107)

            Shit happens, at least they are up front about it when it happened to them.

            And this is why I use separate and disposable gmail-address for them and most other registrations...

        • by epine (68316)

          If you feel left out and would like to be included next time, the email address is ebola@theregister.co.uk

          I'm not sure their PR work is having the desired effect.

          Yes they have contacted ICO, but, by their own standards, this is an epic FAIL.

          Half of literature and human history consists of people suffering momentary lapses of standards they espouse. If you wear the goat horns valiantly, people will forgive if not forget. Some of the orgs criticized by El Rel are institutions with immense resources and pub

    • This isn't as though they are somehow more virtuous that other companies that they've attacked for the same thing. 3,521 people know that The Register leaked that mailing list. And it's their legal responsibility to report their fuck up to the ICO.

      They couldn't do anything other than report themselves to the ICO given that they are based in England. Or face legal repercussions for not doing so. It doesn't change the significance of the summary one bit.

  • by Sockatume (732728) on Tuesday October 25, 2011 @04:19AM (#37828864)

    They've put their money where their mouth is, and reported themselves to the Information Commisioner's Office for the breach.

    • by wvmarle (1070040) on Tuesday October 25, 2011 @04:33AM (#37828898)

      And they deserve credit for that. Within an hour of the the problem they report on it already.

      Mistakes will happen, no matter how hard you try to prevent them. The most important part is: how do you handle those mistakes. Many other companies should take note of what El Reg has done here, and follow their example.

      • by johnjones (14274)

        good good

        exactly they actually have systems....

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        How the Reg handles mistakes. I remember the last time I saw one. Which turned out to be my last visits. This was when they inexplicably decided to use the Sensational Headline Format, designed to lure traffic by little lies. Stolen from celeb news, where stuff like "X dies!" turns out to be "X said he died a little inside when..." There was outrage in the comments when the Register started using it. The way the beloved Reg took care of the problem was to remove and censor every single comment which dared t

        • by RockDoctor (15477)

          They are an inherent bunch of cunts.

          One of the weirdest insults I've ever seen. If it was an insult ; even that isn't clear.

          But what else would you expect from an AC? They rarely rise to the level of American Retard Reject.

      • by Xest (935314)

        I think you're giving them too much credit. Their systems have always been developed and managed in a disturbingly amateur manner, and it seemed clear this was going to come and bite them one day.

        Really, when the quality of their supporting staff is about the same as their journalists (i.e. really really bad), what can you expect?

        Companies should firstly stop employing monkeys to manage systems that said companies are opening themselves up to legal action if they aren't protected properly.

        I'd rather other c

    • What I find more interesting is they posted an email address which they claim goes to the person who screwed up. It's obviously an alias created for the occasion, but it still might actually go to that person. If it does, that shows a measure of accountability that is almost unheard of these days.

      Of course, it might also just go to the bitbucket.

  • by RogueyWon (735973) * on Tuesday October 25, 2011 @04:40AM (#37828928) Journal

    The impacts of this on the Reg readers affected is probably fairly minimal. At worst, the volumes of spam headed towards certain e-mail addresses will increase. But then - how many people these days really use an e-mail address for their website-registrations that they don't expect to be a complete spam-magnet anyway.

    But there's no credit card info out there, no real-world addresses or telephone numbers. And having an account with The Register isn't the kind of thing that people tend to lose their jobs over, so nobody need be particularly embarrassed about their name being on the list (unlike, say, when the British National Party's membership list was leaked a while back).

    This is far worse for The Register itself. It has - quite rightly - been a prominent critic of companies or organisations who fail to protect personal data. And now - even though the breach is at the lowest end of the severity scale - it's gone and done it itself. Fairly or not (and it's probably not, since I doubt it was one of the actual writers who was responsible for this), their own credibility is tarnished.

    UK readers may remember Angus Deayton of Have I Got News For You fame. I can see the potential for similar consequences here...

    • by sjames (1099) on Tuesday October 25, 2011 @05:40AM (#37829114) Homepage

      On the other hand, they probably confessed their error in record time. There can be no claims of downplaying or sweeping things under the rug that usually accompany reports of a data breech.

    • by pnot (96038)

      This is far worse for The Register itself. It has - quite rightly - been a prominent critic of companies or organisations who fail to protect personal data. And now - even though the breach is at the lowest end of the severity scale - it's gone and done it itself. Fairly or not (and it's probably not, since I doubt it was one of the actual writers who was responsible for this), their own credibility is tarnished.

      Back when I read The Reg, they seemed to use humorous self-deprecation to deflect any and all criticism (slightly like Private Eye or Mad Magazine). This was back when Wikipedia was relatively new and controversial, and there would regularly be exchanges along the lines of:

      Reg article: "'Pediaphile makes mistake in article, proves Wikipedia is shit and wiki-fiddlers are all cocks".
      Reader email: "But the Reg is full of factual errors..."
      Reg response: "Yeah hurr hurr we're just a bunch of boozy old hacks in i

    • by tomknight (190939)
      As (I assume) an average Reg reader I don't really give much of a toss if my login's compromised. The email account was probably disposable and I can always make a new login if I want to comment. I've looked through the list and can't see myself (or anything that looks like the sort of online ID I'd use) there, and given that I've forgotten my details I'll probably need to create a new account anyway... Yup, they look a bit daft from this. The self-reporting to the ICO is certainly a Good Thing.
    • The Register has investigative reporters and aggressive editors. If they were able to diagnose the problems in other companies data systems, how come they were so blind to what was happening in their own organisation.

      And how crass not to accept blame as an organisation, but to put the blame on an individual employee. They would ridicule any other company that tried to deflect blame this way.

  • by frovingslosh (582462) on Tuesday October 25, 2011 @04:58AM (#37828966)

    Well, it seems likely that some register users will be getting a lot of spam soon. Even if the list didn't get sent directly to a spammer it might have gone to someone who wants to teach the Register an important lesson.

    I always use disposable addresses when signing up for anything, and even give them to my friends. I've had one Linux forum make my address publicly visible. I've had multiple vendors send out things to lists with CC information in plain sight. I've had friends who had their accounts hacked and their contact information harvested. Always using disposable addresses lets you cut off just the problem rather than having to abandon an entire e-mail account (which I had to do years ago when it suddenly started receiving hundreds of e-mails a day, so much that my normal e-mail was being rejected because my "mailbox was full")..

    I use a great free service from Spamgourmet.com. I have no relationship with them other than being a satisfied user for many years. As far as I know my actual e-mail (which I obviously had to give to them for forwarding) has never been compromised or leaked and I've never received any form of junk mail from them. They are not the only such option, but whichever you choose to use you should definitely use one if you want to protect yourself from spam and worse.

    • by Darinbob (1142669)

      Why would anyone give their email address to The Register anyway? You can read it without registering. At most this probably makes people more nervous about the "you must register to read our pithy articles" sites and instead head to places like The Register instead.

  • So did someone put all those names and email addresses into the To or Cc field of an email? That would be a rather large email to receive!!!

    In addition, this is why proper mailer software that they should have used handles the email composition and sending internally - so that the addresses will be in the BCC field or each address will get its own email sent just for itself.

    If they just sent out an excel file with the details in, that's even worse. There is no excuse for a workflow that involves someone man

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      must be great to never make mistakes

    • by smpoole7 (1467717)

      I have no idea what caused this particular incident, but I know in our own organization, employees treat email as a convenient way to transfer files. As far as they're concerned, it beats a thumb drive, because they don't even have to get up from the desk!!! So ... we have employees emailing contracts, contact lists, and everything else imaginable to each other ... and even to themselves.

      Telling them not to do it is a waste of time. We've set up alternatives (SFTP servers for bulk file storage and transfer

    • by Anonymous Coward

      How many full-time employees do you think The Register has? It's a website. They probably don't physically employ any of their writers, and they syndicate ads, so that leaves admin & IT, for which five employees sounds like overkill.

  • ...struck again >>
  • as mentioned in the comments, somebody uploaded a link to a site hosting the file with the addresses. Which is nice because then you can check if your name is on it (mine isn't). For those whose name is on it, it's not so nice, but that's a different story...
  • "Mistakes will happen", "I thought they handled the screw-up exceptionally well",
    "They've put their money where their mouth is", "they deserve credit for that",
    "The impacts of this on the Reg readers affected is probably fairly minimal".

    Anybody else did this and the reactions would be much different. I figure the Register
    has called in everybody they can for damage control.

    I've read the Register for while when they were hacked and down for a full weekend
    just recently, I went to the site Monday and not one wo

    • I appreciate the cynicism and skepticism. Really I do. It's a crappy incident, but they did handle it very well. I deal with breaches all too often and they did everything appropriately. Would you prefer that they consulted their legal and public affair departments and then aknowledged this a few weeks later? It's rare to see a quick response like that.

      Having said that, it was a stupid mistake.

      Regards the DNS hack, nope, they did post it:
      http://www.theregister.co.uk/2011/09/05/dns_hijack_service_update [theregister.co.uk]

      • > Regards the DNS hack, nope, they did post it:
        > http://www.theregister.co.uk/2011/09/05/dns_hijack_service_updated/ [theregister.co.uk] [theregister.co.uk]

        My bad, and I did look for the article as I was interested in what they had to say about being down. I was also
        wrong about theregister.co.uk being down a full week end. - It was for me, I figure maybe my DNS
        wasn't updated [all I can figure], it was also Labor Day in the U.S so a long weekend.

  • I don't know why. I received the entire list, I am only on it once. At least it was only names & email addresses — could have been worse.

  • I was one of the 3,521 who received the email with all 46,000 addresses in the CC field.

    It was followed up by an apologetic email explaining what had happened and asking me to delete the original email; and another email sent to all 46,000, again apologising and explaining, and linking to the press release. The Register also promptly reported themselves to the ICO.

    My first question to them was 'What mass mailing software or service do you use, and why did it allow this?' Considering the (assumed) IT literac

    • I have a suggestion; do the right thing delete the e-mail. I don't know which country you are in, but you may not authorized to use the data and there may be laws around that. No one consented to you using their personal information for "analysis".

      What if your computer is compromised and someone gains access to this file? Just get rid of it. At this point in time, you're (inadvertently) part of the problem.

      Just because you accidently received the data does not mean you're entitled to use it as you wish.

  • "Fail" is not a noun. The word you are looking for is "failure".

    • But what do they know about the English language?

      Chaucer: Comaunded hire massangerys for to go The same day with outyn any fayle.
      Shakespeare: How grounded hee his Title to the Crowne Vpon our faile.

      Coincidentally, the Oxford English Dictionary agrees with Chaucer and Shakespeare.

    • by pclminion (145572)

      "Fail" is not a noun.

      Thank you for the correction. I shall record this in the archives without fail.

  • ...that you people consider names and email addresses secrets. Even more "amazing" is that you would use such secret names and addresses to sign up on a free humor Web site.

    Hint (yes, again): to keep a secret don't reveal it to anyone without
    a) A need to know
    and
    b) A contractual obligation to keep it confidential.

    • You're right, names in themselves are not a secret, you can get them in the phone books, or other public records. E-mails can be. Your membership with The Register can also be a secret. Secret, in the sense, something that you don't want the public to know.

      What this list presents:
      a) a nice collection of individuals with interest in matter IT-related
      b) a nice list of e-mails
      c) a list of members of a specific web site

      Replace "The Register" with "Republican Party", "Pro-choice Support Group", "STD-infected

  • So I logged into Hotmail and yes, there was the apology buried in all the spam

    I was amused to see that 10 days earlier Register Marketing had sent me a mail entitled...

    ON-DEMAND : The security mistakes users make

    Social networks, local admins, unlatched software, missing USBs: the
    causes of security problems in your business are often not just the big
    stuff that tries to get inside the firewall, it's the little problems
    that are already on the inside. Could your traditional security
    architecture be solving the wrong problems? Would a new approach plug
    the gaps more efficiently, and how much do we need to trust and train
    our users?

    That's what our latest Regcast considers.

    (My emphasis). Sounds like one not miss.

  • Can someone comment on what the "two-stage send" policy is?

"I got everybody to pay up front...then I blew up their planet." "Now why didn't I think of that?" -- Post Bros. Comics

Working...