5 comments

[ 3.1 ms ] story [ 24.8 ms ] thread
I found this interesting for three reasons.

First, it's a data leak, and it's always good to have people informed about them.

Second, it's funny that their GDPR-related email saying that they're commited to it and respecting our data lead to our data being leaked.

And third, this might be the first instance that the data leaking reporting obligation of the GDPR is acted on ?

> We will be reporting the incident as mandated by the GDPR.

We very often see on thread about leaks justified complaints about how companies don't care, don't do anything to stop it and don't even warn their customers that they sent their data in the wild, and with all the talks about the GDPR I think this particular obligation, that they have to report when they screw up, kind of slipped under the radar of a lot of people. Just one more reason why I personally believe this regulation is a string step in the right direction.

Always test your emails with actual sending disabled. Especially right after changing the email infrastructure. Email mistakes like this seem inevitable, and the only solution in my experience is a ridiculous over-abundance of caution. Can't hotfix an email.
I'm actually fairly happy with the way they handled it. Because I run a small startup myself, I often put myself in the position of people committing blunders like this, because, frankly they can happen to anyone.

Just yesterday I accidentally wiped 30 minutes of production data, despite taking great care to have multiple backup systems in place. The error: I was upgrading our CI and accidentally swapped the production and staging labels. I back up production and make a copy to staging on every deploy. But I don't back up staging data, because who cares. Thankfully it was at off-peak hours and no customers were affected.

But I'm going off-track. What I mean is, I would have done exactly what Ghostery did in this case, so I'm happy with their response. Just like when LastPass made a mandatory site-wide password reset because of an anomaly, and when GitLab lost production data.

> We take our privacy and security practices very seriously

This is verbatim what Amazon said a few days ago when they responded to the privately recorded conversation of a Portland woman being sent to an arbitrary contact. I get they are trying to make people feel safe by saying this, but I read this more as "wow, if you take it seriously I'm frightened by things with less priority"

I don't expect any company to care about what happens if it doesn't affect their bottom line. However, I do think the terrible PR they get will eventually effect their bottom line, but who knows if they will connect the dots or blame it on a bad marketing campaign etc.

Well, glad I never registered, then.

(One more reason to resist the "register" nagging UI.)