We've had an interesting scenario happen. A small number of customers contacted us, concerned that their private, single-use email addresses had somehow fallen into the hands of spammers.
Now we don't ever sell or give away anyone's personal data (as per the Golden Rule), so we immediately checked our own servers and current IT suppliers to make sure their hadn't been a breech of any sort. There wasn't; all of our data remained secure.
But something struck me as odd. The first couple of folks who wrote us hadn't ordered recently. Their accounts were set up back in 2008 or so. Aha.
We used to use iContact.com to send our email newsletter to our loyal readers. Dissatisfied with their service, we switched over to using MadMimi.com last fall. And lo and behold, according to several blog postings and twitter traffic, iContact indeed had suffered some sort of security breech around the end of January, 2010.
iContact has now admitted the breach.
But that still didn't make any sense. We had cancelled our account with them some five or six months ago. They didn't still have our data on their servers, did they?
Yes, they did.
Turns out that iContact doesn't delete your data when you cancel your account unless you specifically request them to do so. It just sits there, despite the fact that you have no further business relationship with them. Vulnerable. And in this case, exploited.
After several un-answered emails to their support folks, I finally had to phone them up and demand they remove our data. The fellow I spoke with was very nice; he told me that they don't automatically delete customer's address databases and said they'd get right on it. They'd close that barn door right nice and tight now that the horses are loose. sigh.
We take your privacy as seriously as we do our own (which is very seriously). We are saddened at this turn of events; its unfortunate (and unethical, IMHO) that iContact didn't delete the data when they should have, and that they then were breached.
Fortunately, the only data that iContact had in their possession was email address alone, no names or other data is at any risk.
On behalf of the Pragmatic Bookshelf, I apologize for any inconvenience this incident may have caused anyone, and rest assured that we're on your side, and will continue to watch out for your interests.