Ghostery makes a huge privacy gaffe when emailing customers about GDPR

Ghostery on a smartphone

Ghostery is a company rooted in privacy, so that the firm should accidentally reveal users' email addresses would come as something of a surprise. Over the weekend, however, this is exactly what happened.

The company -- as many others have been doing recently -- emailed its users with details of its updated privacy policy that complies with GDPR. Unfortunately, the message exposed the email addresses of hundreds of customers as the company failed to make use of the BCC field.

See also:

Sent out in batches of 500, the email showed the address of other recipients in the To field. Ghostery insists that it is only email addresses that have been exposed by the slip-up, and the company has stopped using the distribution tool since the problem was discovered.

Many people took to Twitter to deride Ghostery's mistake:

The company also tweeted out an apology:

In a blog post, Ghostery admitted that it had sent out an email "that resulted in the exposure of account holders’ email addresses to other Ghostery account holders and Ghostery users". The company went on to say: "We would like to provide some clarification and transparency regarding our GDPR email that unintentionally revealed the email addresses of some of our user accounts."

Continuing to explain what happened, the Ghostery team said:

Recently, we decided to stop using a third-party email automation platform. In an effort to be more secure, we wanted to manage user account emails in our own system, so we could fully monitor and control data practices surrounding them. Unfortunately, due to a technical issue between us and the email sending tool we chose, the GDPR email, which was supposed to be a single email to each recipient was instead sent to a batch of users, accidentally revealing the email addresses for each batch to all recipients of a batch by adding everybody directly in the "To" field. We sincerely apologize for this incident. We are horrified and embarrassed that this happened, and are doing our best to make sure it never happens again.

Only email addresses and the fact that you are on our mailing list were inadvertently disclosed.

In line with GDPR, Ghostery says that it will report the incident, which it describes as a "clear mistake". To help calm anyone who was angered by the mistake, the company used the blog post to provide details about how to unsubscribe from future emails, or how to delete user accounts completely.

CEO and founder of web security company High-Tech Bridge, Ilia Kolochenko, shared his thoughts on the slip-up:

A human mistake is virtually unpreventable even at large cybersecurity companies. Nonetheless, it's still surprising. Why didn't Ghostery send a test email first to a dozen real users, to ascertain that all is correct, before sending to a larger trial party and, only then, send its large-scale GDPR email blast. I hope Ghostery will make the necessary conclusions and undertake the necessary measures to revise and enhance their internal processes, including data breach notification procedure.

Image credit: bangoland / Shutterstock

© 1998-2019 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.