How not to handle data loss

I had the misfortune to have to deal with a user who had received an email after their data was stolen from the University of Texas. The email mentioned that their username and email address had been divulged to unauthorised users.
Unfortunately the way the email was sent out to the user, it looked just like a phishing scam. The email contained references to but if you looked at where the link would take you, it actually went to a address.
As this is a typical phishing mechanism I did a bit of digging. A whois lookup on provided an IT contact and the fact that the domain had been registered for 6 years which therefore implied that their server might have been hacked.
I contacted the Convio and received a return phone call where I was told that a lot more data had been revealed (depending on what data was stored on the server) and that the email was genuine.
After that I received two phonecalls from a call center that was set up to answer queries about the data theft. The scary thing is that their records show I requested contact about the problem but they didn’t update the records that someone had already contacted me. It would also make sense to ensure that the users who are manning the call center can actually pronounce the names of the companies involved in the whole farce!

I was also amazed to see that the University are not offering free credit monitoring or any other form of compensation to the affected users – instead they are just given (more redirected) links to a reduced fee.

All the above makes a mockery of the comments on the University website that can be found on google and the REALLY scary thing is that the server was hacked more than a month ago (April 11th), they announced it on the April 23rd and they didn’t contact the user until May 25th (see Attrition for details.
Oh – and there are another 197,000 users also affected – still thats small change in the amount of 81,822,769 that have been affected since the Choicepoint breach in Feb 05


  1. angela

    Interesting. We use Convio too and this is something we never really considered. I passed this bit o’wisdom along to our admin today.

Comments are closed.