What’s worse than a security issue? Ignoring it and hoping it will go away.
First a bit of background. For years, I’ve been tracking spam by generating unique forwarding addresses every time I register on a site. The intent was to be able to track the sources of spam and easily disable a compromised address. In practice, it’s proven to be a tool for detecting all sorts of misbehaviour.
Reports I’ve sent have exposed a variety of things, from “overzealous” use of databases by partners, to criminal theft by disgruntled employees. To the best of my knowledge, the reports I’ve sent to victimized companies have resulted in one firing, one set of criminal charges, and countless wrist slaps.
Generally speaking, if a company takes the report seriously and takes some sort of action, I don’t go public with it. The reverse is also true. Ignore a report and you wind up in a blog post, and this brings us to Canada Computers and Electronics. I have to say that it pains me to do this, because they arewere one of my favourite suppliers.
On February 24th, I received spam titled “Yum my Dol l S ee ki ng a L ove r”. The message contained just one image, a less discreet version of this one:
The problem is that the message was sent to a tracking address that has only ever been used with my account at Canada Computers and Electronics. The specific address contains an abbreviation of their name, and a six character alphanumeric suffix. The suffix is there because one company I talked to claimed that “anyone” could have guessed my tracking address, and that therefore my report wasn’t worth investigating. The suffix means that there’s a one in two billion (1:2,176,782,336 to be exact) chance of guessing the address, assuming the spammer also “guessed” that I had a business relationship with the company and “guessed” the abbreviation I used. Anyone doing this would be far better off guessing winning lottery ticket numbers.
The conclusion from this spam is pretty obvious: someone has compromised the customer database at Canada Computers and Electronics. That’s pretty serious stuff! That same day I sent a message to two addresses found on their web site, firstname.lastname@example.org and email@example.com. Since it was pretty late on a Friday I left it at that.
The next Monday, after 4pm I sent another note expressing my concern about the lack of response to such an urgent matter and giving them a deadline of February 29th before public disclosure. At 5:36pm I received a response to my first message indicating that the report had been passed to management.
Since then, nothing. Not even a message from someone saying that they’re looking into it.
It’s highly probable that someone stole customer data from Canada Computers and Electronics, and they don’t appear to be responding to the issue. I’m not doing business with this company at least until they’ve come clean and addressed the problem. I cant see why anyone else would either.