Application security, Compliance Management, Network Security

Ghostery’s GDPR notification exposes recipients addresses in batch emails, runs afoul of GDPR

It seems the path to GDPR is fraught with GDPR violations – at least for privacy browser Ghostery, which exposed the email addresses of users to other users when it sent out GDPR notification emails Friday.

“Unfortunately, due to a technical issue between us and the email sending tool we chose, the GDPR email, which was supposed to be a single email to each recipient was instead sent to a batch of users, accidentally revealing the email addresses for each batch to all recipients of a batch by adding everybody directly in the ‘To' field,” the company said in a statement, explaining that it had recently from a third-party email automation platform managing emails in its own system. “We sincerely apologize for this incident. We are horrified and embarrassed that this happened, and are doing our best to make sure it never happens again.”

The company sent out notices, in batches of 500 users, boasting of its privacy standards on the day that GDPR took effect.

“As you may be aware, on May 25, 2018 the EU General Data Protection Regulation (GDPR) goes into effect. We at Ghostery hold ourselves to a high standard when it comes to users' privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation,” the email read before listing the steps that the company had taken to comply.

The company soon realized that each recipient in a batch could see the email addresses of other recipients but not before it was pummeled on social media.

Twitter user Andrew R. Stine, who goes by the name handle Linguica, tweeted, “HELL YES @Ghostery JUST SENT ME A GDPR EMAIL WITH FIVE HUNDRED EMAIL ADDRESSES CC'ED ON IT!! THANKS, GHOSTERY!!!!”  

Contending that “a human mistake is virtually unpreventable even at large cybersecurity companies,” Ilia Kolochenko, CEO and founder of High-Tech Bridge, the company's misstep still was surprising.

“Why didn't Ghostery send a test email first to a dozen real users, to ascertain that all is correct, before sending to a larger trial party and, only then, send its large-scale GDPR email blast,” said Kolochenko. “I hope Ghostery will make the necessary conclusions and undertake the necessary measures to revise and enhance their internal processes, including data breach notification procedure.”

Ghostery said it " will be reporting the incident as mandated by the GDPR" and has stopped distributing the email.

"Furthermore, while this was an error with update emails that all account holders will continue to receive (e.g., when we're legally required), we are providing clear instructions on how to opt out of future Ghostery product and marketing emails or delete an account for those who wish to do so, as well as permanently expunging any user data upon request," the company said. "If you prefer to not receive these updates you may delete your account."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.