Saturday, March 12, 2005

What's in a name? When it's "Spamalot" perhaps you should expect alottaspam

Today's New York Times has an interesting and slightly amusing article about a computer glitch on the Spamalot (the Broadway musical) website that may have exposed more than 31,000 to alottaspam.

The New York Times > Theater > News & Features > What to Expect of 'Spamalot'? A Lot of Spam:

"'Spamalot' fans who signed up for a newsletter on the Broadway musical's official Web site may end up getting, well, spammed a lot. 'Movin' Out' devotees may have the same problem. A security glitch - now fixed - exposed the names and postal and e-mail addresses of more than 31,000 people to savvy computer users.

Up until Thursday evening, when a reporter from The New York Times pointed out the problem to the Web sites' developer, visiting a specific address on the shows' sites produced a long page with mailing-list data. The security hole was not obvious to casual Web surfers because the address was buried in the site's code. But it could have been discovered by someone deliberately seeking the list data, or by a kind of program used by spammers to scour the Web for new e-mail addresses to bombard.

Both montypythonsspamalot.com, where 19,000 people had signed up for a newsletter, and movinoutonbroadway.com, where 14,000 had, were built by Mark Stevenson, a designer in Croton-on-Hudson, N.Y...."

I'm not sure if this qualifies as an incident as the article only refers to the glitch's potential to expose addresses. I suppose the site maintainer would be able to look at their logs to find out if the page with all the names was ever viewed.

So many privacy incidents are caused by simple human error, whcih I expect is the cause of this one. I'm on the board of an industry association that recenly allowed the local economic development agency to send an e-mail to its members announcing a very specific event. Unfortunately, someone thought that using a "distribution list" in Outlook would shield all the addresses. Not quite. Every single address was in the "To:" field. So far nobody has complained, but I expect we'll hear more of it. One minor misunderstanding of the technology and it had the potential to upset quite a few people.

Thanks to Rob Hyndman for reminding me about the article. I saw it very early this morning but forgot to bookmark it for later blogging.

No comments: