They did the hard thing, which was emailing users about a "breach" that may or may not have been exploited. I mean we're only talking about names/emails here but whatever.
I donated to CC a couple times and may be in that file but frankly I couldn't care any less, as long as CC does an outstanding job improving their licenses (which they do!).
If true, I think it's totally reasonable to complain about that.
You donate to an organization because you want to support them. You responsibly report a data breach because you want to support them. And in response? They can't be bothered to take 10 seconds to type "Thank you! We'll fix this ASAP." Really?
My advice to OP: Next time you're fortunate enough to be able to donate to an organization, pick another one. It's not just about supporting good causes, it's about supporting effective organizations.
Now I have a way to distinguish public organizations wanting my money. And since I donate anonymously, I have no need to ever donate to the PR kind.
Elliot Harmon / Communications manager, Creative Commons / firstname.lastname@example.org
Thanks for your help in identifying this issue and for your related suggestions. You’re welcome to post this reply as an addendum to your blog post; we’ll also be posting it on the Hacker News thread.
We regret not replying to you promptly about what we were doing to resolve the issue, and to express our gratitude. That was our error, and we apologize. Our immediate focus was on locating the file you identified, confirming that no other files with sensitive information had been inadvertently uploaded, determining what information the file contained, and identifying and contacting affected donors. Thankfully, we were able to remove the file the same day you reported the incident. That was our highest priority.
We have since learned that our rapid deletion of the file limited our ability to access statistics about its use. We will share an update if we learn more about views or possible downloads.
As to your other suggestions, they are well taken and we will do better. Both emails for the audit committee on the contact page are functional, but in order to avoid confusion, we removed one of them. We have also emphasized that email@example.com is the most appropriate portal for sending privacy-related concerns at this time.
Thanks again for calling this to our attention, and our apologies for not more quickly replying to you individually.
Diane M. Peters / General Counsel, Creative Commons
Although not as serious as the release of names and addresses, I email people and organizations all the time when I see typos on their web sites, and I don't much expect any response or acknowledgement; I am just trying to be helpful. It seems like the author of the article was similarly trying to be helpful.