Another case where the use of unique, hard to guess mail addresses reveals a problem with data security. This time the co-victim and/or offender is the Yellow Pages Group.

Let’s start with the boring but still somewhat amusing part of the history:

  • September 23, 1010: I create a tracking address and use it to set up a “free” listing for one of my businesses at YellowPages.ca.
  • November 11, 2010: Yellow Pages Group sends a promotional email to the tracking address, trying to get me to move to a paid service. When I stop laughing, I unsubscribe and receive a confirmation message. We’re done, right? Wrong!
  • January 17, 2011: I receive a message – in French promoting YPG services. I create a mail filter marking all communications to my tracking address as read. Note to YPG: unsubscribe. un-sub-scribe. This means STOP sending mail. Duh.
  • April 28 and May 2nd, 2011: more mail, unnoticed until recently thanks to the mark-as-read rule. In hindsight, this is too bad, because “Get a personalized Web site for less than $2 a day” would have given me a good hard laugh. $60/month for a basic template-customized site? That makes text message charges look cheap! Oh, wait, YPG has its roots in Bell, doesn’t it? That sure explains a lot!

Yesterday May 14, 2012 this unique address, which is made from a contraction of “Yellow Pages” and five random characters – essentially un-guessable – gets “FREE participation to win an IPAD 3 16GB WI-FI !” from no-reply@promohebdo.ca.

Bing! A Crime has been Committed!

I wish it was obvious which crime it was, but the possibilities include:

  • Lousy data security, which means some external party managed to mine their database(s). This from a company who wants you to entrust them with your web site. Yeah, right.
  • Internal theft. Someone who had access to the data accepted payment for making a copy of it. I’m sure there will be an internal investigation, YPG will come clean with a full public disclosures and the appropriate charges will be laid. Yeah, right.
  • YPG sold the data to someone. Data they don’t have a right to use. We can expect a comment full of evasive passive voice that attempts to disclaim responsibility. Meanwhile, they’d never do that with the rest of the data under their control. I mean this is their data, they’re very, very extra special trustworthy and would never sell information in their customer’s databases. Yeah, right.

But my bet is they just hope this post stays on some ranter’s back-water blog. So be it.

We’ll see. I’ll post copies/scans of anything that comes in.