[ISN] Wh00ps - Email from CSI last week

InfoSec News isn at c4i.org
Wed Mar 1 02:48:17 EST 2006

---------- Forwarded message ----------
Date: Tue, 28 Feb 2006 15:54:41 -0600
From: "Chris Keating, Director Of CSI" <SC @ hdsmail.com>
Reply-To: chriskeating @ cmp.com
To: wk at ...........
Subject: Email from CSI last week


Dear CSI Member,

I'm writing to apologize for a mistake we made in an e-mail message
you received from us last week. In the rest of this note, I will
explain the mistake we made and why we believe it merits an apology
(and an explanation). But since your time is valuable, let me
summarize in my first paragraph that an error occurred, in which your
name and address were inadvertently given to one other CSI member or
potential event attendee. This was caused by a mail merge error, not
any kind of breach of security, nor was your information generally
broadcast or the mailing list as a whole exposed in any way. Though
the inadvertent distribution was limited in scope, we still take it
very seriously. To try to ensure there are no more such errors, we are
taking the steps outlined below. If you have any questions about the
error or our reaction, please read the paragraphs that follow and if
you still have questions beyond this explanation, please don't
hesitate to contact me at the address given below.

The message we sent last week invited you to join us for an Editorial
Perspective TechWebCast called Security: The Application Point of
View. The invitation still stands--we'd love to have you join us and
you can find out more by Clicking Here. In last week's letter, we made
use of a feature we're rather proud of: to help speed the process if
you decided to register for the event, the e-mail message included a
pre-filled registration form. Obviously, what's supposed to be in the
pre-filled form is information about you--information you've shared
with us in the past such as your business mailing address and your
telephone number. This information did not include traditionally
sensitive categories of information such as credit card numbers or
social security numbers.

The data for the form is merged with the email message content as each
message is sent out. In this particular mailing, the data used for the
merge had been corrupted, such that each recipient record included in
part certain data relating to another recipient. As a result, each
form we emailed was incorrectly pre-filled with the information of a
different individual in the database who was not the recipient of the

The specific condition that caused the database error to occur on this
occasion is being corrected. Additionally, we are examining the
possibility of designing new code for the application that merges the
data with e-mail messages to assist in addressing problems of this
type. If these efforts and other efforts do not result in making us
sufficiently confident in our ability to catch such errors, we plan to
remove the pre-filled form feature from future mailings until we can
achieve that level of confidence.

Again, your information was released to only one other CSI member or
potential event attendee and no credit card or information of similar
sensitivity was involved. Even a small slip-up, though, doesn't show
as much respect for the trust you've placed in us as we'd like. Please
accept my apologies and my assurance that we consider your privacy an
integral part of our success as a security organization.

With best regards,

Chris Keating, Director
Computer Security Institute
chriskeating @ cmp.com

If you would prefer not to be contacted again about such events,
please opt-out here.

600 Community Drive
Manhasset, NY 11030
CMP Privacy Policy

More information about the ISN mailing list