The Register Email Address Blunder 70
First time accepted submitter Tim99 writes "This morning I got an email from The Register informing me that they have sent 3,521 of their readers the names and e-mail addresses of 46,000 other readers. Considering their frequent rants about security this has got to be a major FAIL."
El Reg writes: "Obviously, this was an error. The two-stage send process that is the norm for all of our mailers was over-looked because someone was in a hurry."
Omitted from summary (Score:5, Funny)
Re: (Score:2)
Since the people at the ICO failed to act on our report, they have reported themselves for violations.
(the original sanction against The Register will be given at great haste and expense) /python
Re: (Score:3)
We should be able to moderate submitters on accuracy of headline and summary. Tim99 obviously left out the bit about the ICO to make his FAIL point.
Comment removed (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Thanks for replying. I agree this is something they should be panned for, especially as they are always taking other companies to task over the same mistake, but by owning up to it almost immediately and also reporting themselves to the ICO I feel they have at least done what they could under the circumstances and I think that should have been mentioned in the summary.
Ok, maybe their hand was forced to admit the mistake due to three and a half thousand potential whistle blowers, but at least they did it and
Re: (Score:2)
Shit happens, at least they are up front about it when it happened to them.
Re: (Score:2)
Shit happens, at least they are up front about it when it happened to them.
And this is why I use separate and disposable gmail-address for them and most other registrations...
Re: (Score:2)
I'm not sure their PR work is having the desired effect.
Half of literature and human history consists of people suffering momentary lapses of standards they espouse. If you wear the goat horns valiantly, people will forgive if not forget. Some of the orgs criticized by El Rel are institutions with immense resources and pub
Re: (Score:2)
This isn't as though they are somehow more virtuous that other companies that they've attacked for the same thing. 3,521 people know that The Register leaked that mailing list. And it's their legal responsibility to report their fuck up to the ICO.
They couldn't do anything other than report themselves to the ICO given that they are based in England. Or face legal repercussions for not doing so. It doesn't change the significance of the summary one bit.
Reported themselves to the ICO (Score:5, Interesting)
They've put their money where their mouth is, and reported themselves to the Information Commisioner's Office for the breach.
Re:Reported themselves to the ICO (Score:5, Insightful)
And they deserve credit for that. Within an hour of the the problem they report on it already.
Mistakes will happen, no matter how hard you try to prevent them. The most important part is: how do you handle those mistakes. Many other companies should take note of what El Reg has done here, and follow their example.
Re: (Score:2)
good good
exactly they actually have systems....
Re: (Score:2, Interesting)
How the Reg handles mistakes. I remember the last time I saw one. Which turned out to be my last visits. This was when they inexplicably decided to use the Sensational Headline Format, designed to lure traffic by little lies. Stolen from celeb news, where stuff like "X dies!" turns out to be "X said he died a little inside when..." There was outrage in the comments when the Register started using it. The way the beloved Reg took care of the problem was to remove and censor every single comment which dared t
Re: (Score:2)
One of the weirdest insults I've ever seen. If it was an insult ; even that isn't clear.
But what else would you expect from an AC? They rarely rise to the level of American Retard Reject.
Re: (Score:2)
I think you're giving them too much credit. Their systems have always been developed and managed in a disturbingly amateur manner, and it seemed clear this was going to come and bite them one day.
Really, when the quality of their supporting staff is about the same as their journalists (i.e. really really bad), what can you expect?
Companies should firstly stop employing monkeys to manage systems that said companies are opening themselves up to legal action if they aren't protected properly.
I'd rather other c
Personal responsibility (Score:2)
What I find more interesting is they posted an email address which they claim goes to the person who screwed up. It's obviously an alias created for the occasion, but it still might actually go to that person. If it does, that shows a measure of accountability that is almost unheard of these days.
Of course, it might also just go to the bitbucket.
Re: (Score:3)
Check the comments to the Reg's own story. One of their readers has already taken great delight in uploading it - prompting an angry reaction from everybody else on the comments. After all, the Reg's actions, however stupid, were accidental. Posting a bunch of people's e-mail addresses to pastebin is deliberate malice (even if it was probably inevitable with that many recipients).
Re: (Score:2)
The upload to Pastebin is fake. Trolling is very much in the spirit of El Reg.
Re: (Score:2)
"Seems like someone were overdue for a promotion" you mean. Now they may be overdue for the dole office.
Re: (Score:2)
Probably worse for The Register than their readers (Score:5, Insightful)
The impacts of this on the Reg readers affected is probably fairly minimal. At worst, the volumes of spam headed towards certain e-mail addresses will increase. But then - how many people these days really use an e-mail address for their website-registrations that they don't expect to be a complete spam-magnet anyway.
But there's no credit card info out there, no real-world addresses or telephone numbers. And having an account with The Register isn't the kind of thing that people tend to lose their jobs over, so nobody need be particularly embarrassed about their name being on the list (unlike, say, when the British National Party's membership list was leaked a while back).
This is far worse for The Register itself. It has - quite rightly - been a prominent critic of companies or organisations who fail to protect personal data. And now - even though the breach is at the lowest end of the severity scale - it's gone and done it itself. Fairly or not (and it's probably not, since I doubt it was one of the actual writers who was responsible for this), their own credibility is tarnished.
UK readers may remember Angus Deayton of Have I Got News For You fame. I can see the potential for similar consequences here...
Re: (Score:3)
If he'd stayed, then for years to come, every time he tried to mock any of his guests over their own indiscretions, they could just have turned the tables on him. HIGNIFY has always had a degree of "yah boo sucks" about it - it's not exactly reasoned debate - and this would have amounted to a get-out-of-jail-free card for guests. Having the show run on that basis in the long run would have robbed it of most of its impact.
Re: (Score:2)
Well there's that. And also the fact that their main assert is Paul Merton, and he couldn't stand the sight of Angus.
Re: (Score:2)
Re: (Score:2)
. . . which would have exposed the stupidity (or inebriation) the guests who don't pick up their GOoJF card.
Oh, I don't know ; I enjoyed seeing Merton put the (be-cramponned) boot into Deayton. A more justifiable bloodsport than fox hunting, and you can do it again next week. Cross-reference
Re: (Score:2)
Fry/Davies is obviously in good humour. You can tell they like each other.
Deaton/Merton had not been in good humour for years before Deaton got the boot. Yes it was funny, but sometimes uncomfortable. And certainly very uncomfortable in the last show or two.
Talking of which, I really don't think the different presenter each week works. Sometimes they have a good or interesting one, but then that's balanced out by the uninteresting or just useless ones. Mostly it just ruins the illusion that the presenter is
Re:Probably worse for The Register than their read (Score:4, Interesting)
On the other hand, they probably confessed their error in record time. There can be no claims of downplaying or sweeping things under the rug that usually accompany reports of a data breech.
Re: (Score:1)
Re: (Score:2)
This is far worse for The Register itself. It has - quite rightly - been a prominent critic of companies or organisations who fail to protect personal data. And now - even though the breach is at the lowest end of the severity scale - it's gone and done it itself. Fairly or not (and it's probably not, since I doubt it was one of the actual writers who was responsible for this), their own credibility is tarnished.
Back when I read The Reg, they seemed to use humorous self-deprecation to deflect any and all criticism (slightly like Private Eye or Mad Magazine). This was back when Wikipedia was relatively new and controversial, and there would regularly be exchanges along the lines of:
Reg article: "'Pediaphile makes mistake in article, proves Wikipedia is shit and wiki-fiddlers are all cocks".
Reader email: "But the Reg is full of factual errors..."
Reg response: "Yeah hurr hurr we're just a bunch of boozy old hacks in i
Re: (Score:2)
Re: (Score:3)
The Register has investigative reporters and aggressive editors. If they were able to diagnose the problems in other companies data systems, how come they were so blind to what was happening in their own organisation.
And how crass not to accept blame as an organisation, but to put the blame on an individual employee. They would ridicule any other company that tried to deflect blame this way.
another reason to always use disposable addresse (Score:5, Informative)
Well, it seems likely that some register users will be getting a lot of spam soon. Even if the list didn't get sent directly to a spammer it might have gone to someone who wants to teach the Register an important lesson.
I always use disposable addresses when signing up for anything, and even give them to my friends. I've had one Linux forum make my address publicly visible. I've had multiple vendors send out things to lists with CC information in plain sight. I've had friends who had their accounts hacked and their contact information harvested. Always using disposable addresses lets you cut off just the problem rather than having to abandon an entire e-mail account (which I had to do years ago when it suddenly started receiving hundreds of e-mails a day, so much that my normal e-mail was being rejected because my "mailbox was full")..
I use a great free service from Spamgourmet.com. I have no relationship with them other than being a satisfied user for many years. As far as I know my actual e-mail (which I obviously had to give to them for forwarding) has never been compromised or leaked and I've never received any form of junk mail from them. They are not the only such option, but whichever you choose to use you should definitely use one if you want to protect yourself from spam and worse.
Re: (Score:2)
Why would anyone give their email address to The Register anyway? You can read it without registering. At most this probably makes people more nervous about the "you must register to read our pithy articles" sites and instead head to places like The Register instead.
How does this happen still? (Score:1)
So did someone put all those names and email addresses into the To or Cc field of an email? That would be a rather large email to receive!!!
In addition, this is why proper mailer software that they should have used handles the email composition and sending internally - so that the addresses will be in the BCC field or each address will get its own email sent just for itself.
If they just sent out an excel file with the details in, that's even worse. There is no excuse for a workflow that involves someone man
Re: (Score:2)
somebody tries to send the full list of subscribers to the latter...
This prompts the question "Why did you do that?" If the subscribers list is intended to be internal, keep it internal. Send a link to the list's location on $SOME_INTERNAL_PAGE to the management and let them click through to it. If you accidentally send that internal link to the subscribers list rather than the maintainers, then you've exposed some of your internal site organization details to the list (mildly bad) but you haven't divulged the subscribers list since they don't have permission to access the
Re: (Score:2, Insightful)
must be great to never make mistakes
Re: (Score:2)
I have no idea what caused this particular incident, but I know in our own organization, employees treat email as a convenient way to transfer files. As far as they're concerned, it beats a thumb drive, because they don't even have to get up from the desk!!! So ... we have employees emailing contracts, contact lists, and everything else imaginable to each other ... and even to themselves.
Telling them not to do it is a waste of time. We've set up alternatives (SFTP servers for bulk file storage and transfer
Re: (Score:1)
How many full-time employees do you think The Register has? It's a website. They probably don't physically employ any of their writers, and they syndicate ads, so that leaves admin & IT, for which five employees sounds like overkill.
BOFH... (Score:2)
already on pastebin (Score:2)
Re: (Score:3)
I found it on pastebin, it wasn't hard, just search in the last 24 hours. My email address wasn't there either despite getting the apology email.
Re: (Score:3)
Well, the pastebin links to http://theregisteremailleak.webs.com/theregister.txt [webs.com]
If you scroll right to the bottom you find...
Just kidding! This list is made up for fun! :)
Someone having fun trolling?
Different Tune being sung (Score:2)
"Mistakes will happen", "I thought they handled the screw-up exceptionally well",
"They've put their money where their mouth is", "they deserve credit for that",
"The impacts of this on the Reg readers affected is probably fairly minimal".
Anybody else did this and the reactions would be much different. I figure the Register
has called in everybody they can for damage control.
I've read the Register for while when they were hacked and down for a full weekend
just recently, I went to the site Monday and not one wo
Re: (Score:2)
I appreciate the cynicism and skepticism. Really I do. It's a crappy incident, but they did handle it very well. I deal with breaches all too often and they did everything appropriately. Would you prefer that they consulted their legal and public affair departments and then aknowledged this a few weeks later? It's rare to see a quick response like that.
Having said that, it was a stupid mistake.
Regards the DNS hack, nope, they did post it:
http://www.theregister.co.uk/2011/09/05/dns_hijack_service_update [theregister.co.uk]
Re: (Score:1)
> Regards the DNS hack, nope, they did post it:
> http://www.theregister.co.uk/2011/09/05/dns_hijack_service_updated/ [theregister.co.uk] [theregister.co.uk]
My bad, and I did look for the article as I was interested in what they had to say about being down. I was also
wrong about theregister.co.uk being down a full week end. - It was for me, I figure maybe my DNS
wasn't updated [all I can figure], it was also Labor Day in the U.S so a long weekend.
I received 2 apologies ... (Score:2)
I don't know why. I received the entire list, I am only on it once. At least it was only names & email addresses — could have been worse.
Re: (Score:2)
Can you send it to me, I didn't get it.
-dZ.
I've got the list. (Score:2)
I was one of the 3,521 who received the email with all 46,000 addresses in the CC field.
It was followed up by an apologetic email explaining what had happened and asking me to delete the original email; and another email sent to all 46,000, again apologising and explaining, and linking to the press release. The Register also promptly reported themselves to the ICO.
My first question to them was 'What mass mailing software or service do you use, and why did it allow this?' Considering the (assumed) IT literac
Re: (Score:1)
I have a suggestion; do the right thing delete the e-mail. I don't know which country you are in, but you may not authorized to use the data and there may be laws around that. No one consented to you using their personal information for "analysis".
What if your computer is compromised and someone gains access to this file? Just get rid of it. At this point in time, you're (inadvertently) part of the problem.
Just because you accidently received the data does not mean you're entitled to use it as you wish.
Pedantic rant (Score:2)
"Fail" is not a noun. The word you are looking for is "failure".
Chaucer and Shakespeare disagree (Score:1)
But what do they know about the English language?
Chaucer: Comaunded hire massangerys for to go The same day with outyn any fayle.
Shakespeare: How grounded hee his Title to the Crowne Vpon our faile.
Coincidentally, the Oxford English Dictionary agrees with Chaucer and Shakespeare.
Re: (Score:2)
"Fail" is not a noun.
Thank you for the correction. I shall record this in the archives without fail.
I find it, um, "amazing"... (Score:2)
...that you people consider names and email addresses secrets. Even more "amazing" is that you would use such secret names and addresses to sign up on a free humor Web site.
Hint (yes, again): to keep a secret don't reveal it to anyone without
a) A need to know
and
b) A contractual obligation to keep it confidential.
Re: (Score:1)
You're right, names in themselves are not a secret, you can get them in the phone books, or other public records. E-mails can be. Your membership with The Register can also be a secret. Secret, in the sense, something that you don't want the public to know.
What this list presents:
a) a nice collection of individuals with interest in matter IT-related
b) a nice list of e-mails
c) a list of members of a specific web site
Replace "The Register" with "Republican Party", "Pro-choice Support Group", "STD-infected
Irony (Score:1)
So I logged into Hotmail and yes, there was the apology buried in all the spam
I was amused to see that 10 days earlier Register Marketing had sent me a mail entitled...
ON-DEMAND : The security mistakes users make
Social networks, local admins, unlatched software, missing USBs: the
causes of security problems in your business are often not just the big
stuff that tries to get inside the firewall, it's the little problems
that are already on the inside. Could your traditional security
architecture be solving the wrong problems? Would a new approach plug
the gaps more efficiently, and how much do we need to trust and train
our users?
That's what our latest Regcast considers.
(My emphasis). Sounds like one not miss.
Two stage send (Score:2)
Can someone comment on what the "two-stage send" policy is?