[IP] more on stolen e-mail addresses from Orbitz

To: ip@xxxxxxxxxxxxxx
Subject: [IP] more on stolen e-mail addresses from Orbitz
From: Dave Farber <dave@xxxxxxxxxx>
Date: Thu, 30 Oct 2003 11:21:26 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx

Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Thu, 30 Oct 2003 16:07:08 +0000
From: johnl@xxxxxxxx (John R. Levine)
Subject: Re: [IP] stolen e-mail addresses from Orbitz
To: dave@xxxxxxxxxx
Cc: Alexandros Papadopoulos <apapadop@xxxxxxx>

> I have very good reason to believe that orbitz.com sold off my
> private information, in breach of their privacy policy. I told them
> about it and they ignored my complains. What can I do about it?

Hi.  I'm a member of Orbitz' Consumer Advisory Panel.  I don't speak
for Orbitz, but I'm quite familiar with the company, I know all of the
upper management, I've been talking to them about this spam problem.

Someone stole part of their mailing list.  I saw a bunch of reports
the same time everyone else did reporting spam to addresses that only
Orbitz should have.  I quickly made sure that Orbitz understood what
was happening, which they do now.  It took about half a day for the
info to filter out to the people who answer customer e-mail, which is
why some early reports got less than useful responses.  Needless to
say, Orbitz is unhappy about this, they've called the cops, and their
tech people are trying to figure out where the leak was, whether
internal or one of the companies to which they outsource work.  It
doesn't look like the whole list was stolen, since I have multiple
tagged addresses on their list, and they haven't been spammed.

I've seen some claims that "Orbitz must have sold my address."  That
just doesn't make any sense.  Orbitz is a billion dollar company
getting ready for an IPO.  (Read all about it in their S-1 at the
SEC.)  They sell ads on their web site to big companies for millions
of dollars.  The spam I've seen has been penny ante stuff touting
junkware to remove URLs from your browser history.  The spammers who
sent it might pay $200 for a million addresses.  Orbitz, or any big
company, would have to be utterly insane to sell their list for an
amount so small it wouldn't even show up as a rounding error on the
balance sheet, even if doing so wouldn't violate their published
privacy policy and drive away their customers.

One thing this does point out is that spammers are increasingly
discarding any veneer of legitimacy and are showing themselves to be
plain old crooks, hijacking other people's PCs to send their junk,
selling fake and non-existent goods, and of course stealing anything
they can instead of paying for it.

Regards,
John Levine, johnl@xxxxxxxx, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
"I dropped the toothpaste", said Tom, crestfallenly.

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] E-Vote Software Leaked Online (I love the security by secrecy statement djf)
Next by Date: [IP] The Wrong Way to Stop Spam: Dictatorship by ISPs
Previous by thread: [IP] E-Vote Software Leaked Online (I love the security by secrecy statement djf)
Next by thread: [IP] The Wrong Way to Stop Spam: Dictatorship by ISPs
Index(es):
- Date
- Thread