
Ghostery Email Incident Update - nolok
https://www.ghostery.com/blog/ghostery-news/ghostery-email-incident-update/
======
nolok
I found this interesting for three reasons.

First, it's a data leak, and it's always good to have people informed about
them.

Second, it's funny that their GDPR-related email saying that they're commited
to it and respecting our data lead to our data being leaked.

And third, this might be the first instance that the data leaking reporting
obligation of the GDPR is acted on ?

> We will be reporting the incident as mandated by the GDPR.

We very often see on thread about leaks justified complaints about how
companies don't care, don't do anything to stop it and don't even warn their
customers that they sent their data in the wild, and with all the talks about
the GDPR I think this particular obligation, that they _have to_ report when
they screw up, kind of slipped under the radar of a lot of people. Just one
more reason why I personally believe this regulation is a string step in the
right direction.

------
amingilani
I'm actually fairly happy with the way they handled it. Because I run a small
startup myself, I often put myself in the position of people committing
blunders like this, because, frankly they can happen to anyone.

Just yesterday I accidentally wiped 30 minutes of production data, despite
taking great care to have multiple backup systems in place. The error: I was
upgrading our CI and accidentally swapped the production and staging labels. I
back up production and make a copy to staging on every deploy. But I don't
back up staging data, because who cares. Thankfully it was at off-peak hours
and no customers were affected.

But I'm going off-track. What I mean is, I would have done exactly what
Ghostery did in this case, so I'm happy with their response. Just like when
LastPass made a mandatory site-wide password reset because of an anomaly, and
when GitLab lost production data.

------
hashkb
Always test your emails with actual sending disabled. Especially right after
changing the email infrastructure. Email mistakes like this seem inevitable,
and the only solution in my experience is a ridiculous over-abundance of
caution. Can't hotfix an email.

------
ddtaylor
> We take our privacy and security practices very seriously

This is verbatim what Amazon said a few days ago when they responded to the
privately recorded conversation of a Portland woman being sent to an arbitrary
contact. I get they are trying to make people feel safe by saying this, but I
read this more as "wow, if you take it seriously I'm frightened by things with
less priority"

I don't expect any company to care about what happens if it doesn't affect
their bottom line. However, I do think the terrible PR they get will
eventually effect their bottom line, but who knows if they will connect the
dots or blame it on a bad marketing campaign etc.

------
pasbesoin
Well, glad I never registered, then.

(One more reason to resist the "register" nagging UI.)

