The company behind Ghostery, when tries to comply with GDPR obligations, made a mistake, a technical error that occurred when its staff was sending out GDPR-themed notification emails.
According to user reports, Ghostery sent out emails that exposed the addresses of other users.
The emails were sent to batches of 500 users at the same time, and every user in each batch was able to see the email addresses of the other users. Imagine you, when you send a mass email in your work, but forget about address users’ email in e-mail C.C.
— rafael_belenos.txt (@belenos) May 25, 2018
— Linguica (@andrewrstine) May 25, 2018
Ghostery is off to a great start. pic.twitter.com/N9x2fOoPnw
— Dan Previte (@dprevite) May 25, 2018
— Daniel Tsekhman (@tsekhman) May 25, 2018
— David L. (@kenny33600) May 25, 2018
you cannot make this up: the privacy driven Chrome extension @Ghostery for blocking third-party trackers has done its GDPR mass email exposing all(?) of its users in the email TO: field!! pic.twitter.com/m4R14q7QqP
— Matt 😼 (@matthewherod) May 26, 2018
Weird move from @Ghostery :
1. Accidentally share thousands of email addresses with users. (in a GDPR email 🤦♂️)
2. Apologise for it on Twitter.
3. Delete the apology tweet. pic.twitter.com/SKA1OL8L3h
— dan barker (@danbarker) May 25, 2018
Ghostery: It was a simple human mistake.
Ghostery realized the error on Friday, and after an investigation, explained on Saturday that the error was caused by an operator’s mistake working with their new self-hosted email delivery platform for the first time.
Recently, we decided to stop using a third-party email automation platform. In an effort to be more secure, we wanted to manage user account emails in our own system, so we could fully monitor and control data practices surrounding them. Unfortunately, due to a technical issue between us and the email sending tool we chose, the GDPR email, which was supposed to be a single email to each recipient was instead sent to a batch of users, accidentally revealing the email addresses for each batch to all recipients of a batch by adding everybody directly in the “To” field. We sincerely apologize for this incident. We are horrified and embarrassed that this happened, and are doing our best to make sure it never happens again.
Next the incident, the company said it stopped email sending operations as soon as it realized what it happened, and published on Saturday instructions on how users could delete their Ghostery accounts.
Thus, Ghostery profiles aren’t mandatory for using Ghostery, so deleting accounts won’t affect the company’s products in any way.
The incident isn’t as bad as it sounds, as only email addresses were exposed (it isn’t a security breach indeed).
Ghostery said it plans to report the incident to EU authorities, as the new GDPR directive mandates. While there’s no way to accurately verify this, Ghostery may actually be the first company that reports a breach under the new GDPR rules.
To keep in mind: It was a GDPR email campaign that broke GDPR rules!
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.