UK: Cool Components’ email database taken in apparent data breach
Gareth Halfacree reports on a somewhat atypical breach with a poor incident response by Cool Components:
Hobbyist electronics specialist Cool Components has been hit with an apparent data breach in which persons unknown have made off with its customer email list – but the company claims its investigation has turned up no evidence of security issues.[…]
Cool Components’ customers received the first hint of a problem on the 24th of February, when a newsletter from rival company RoboSavvy tipped up in their inboxes. With no prior relationship to RoboSavvy recipients were left wondering how the company had gathered their email addresses, and those who use unique per-company addresses to sign up to mailing lists quickly found their answer: the email addresses had previously been provided to Cool Components during the ordering process.
The two companies were alerted to the problem via social networking service Twitter on the 24th, but neither responded to enquiries. Those querying the issue via email were luckier: while RoboSavvy initially attempted to claim that the addresses must have been mistyped during entry, the company began an investigation after being contacted by media regarding the issue. The result: an admission that more than 4,000 emails were mass-subscribed to the RoboSavvy database on three separate dates, but a denial of any wrongdoing. In its announcement to customers, RoboSavvy claimed that ‘all these emails were added using the website and on 3 different days we have 3 different IP addresses adding them, all of the IPs are backtraced to China.‘[…]
When asked how the email addresses, uniquely and provably provided only to Cool Components, had been obtained by the third party who subscribed them to the RoboSavvy mailing list, a Cool Components spokesperson refused to answer, and the company’s Twitter account has been similarly unwilling to respond to customers asking the same question.
Read more on Bit-Tech. Maybe UK consumers unhappy with the firm’s response should file complaints with the Information Commissioner’s Office.