Spam received by customer not linked to a security breach or a disclosure at his telecom

PIPEDA Report of Findings #2014-010

September 15, 2014


When an individual received approximately 200 spam emails in four months at an email address that he was using exclusively to communicate with a telecommunications firm as a subscriber to one of its online services, he suspected that the firm had either been the target of a security breach or it had disclosed and/or sold his email address.

The individual claimed to have approximately 1,000 unique email addresses. The one he used for the telecommunications firm was created under his own Web domain. He claimed that only six of his email addresses had ever generated spam, and that he maintained an archive to track any spam he received. He dismissed the possibility that his email address with the telecommunications firm could have been guessed by a potential spammer.

In 2012, the telecommunications firm duly responded to his raised concerns. The firm informed him that its secure systems had not been affected by any security breach, that customer email addresses are only shared internally, and that his address had not been sold.

In the firm’s view, because the individual admitted to using his domain to register for accounts with online gambling sites and with websites that had since been shut down, the individual had exposed his domain and personal computer to spammers and malware.

Since the individual was not satisfied with that response, he filed a complaint with our Office, which we received in 2013.

Our investigation included an in-depth technical component and established that once spammers have found a valid domain (e.g., the one the individual uses), they can send millions of emails to variations of email account names, all using the same domain.

As for the telecommunications firm, it stated that it had not been affected by any security issues of customer email addresses. Further, it explained to us in detail the many-faceted security measures it employs, including encryption practices and the separation of databases.

At our request, the third-party service provider that manages the firm’s data centre conducted its own investigation, the results of which did not indicate that there had been any unauthorized access attempts. Its security safeguards appeared appropriate and commensurate with the data management responsibilities for the firm.

Based on the evidence we received, we could not conclude that the individual’s email had been disclosed by the telecommunications firm, as he alleged. Nor could we determine that there had been a security breach or that the firm’s security safeguards, or those of the third-party service provider, were inadequate.

Consequently, the matter was found to be not well-founded.

Lessons Learned

  • Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
  • Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
  • The security safeguards used by an organization shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
  • The methods of personal information protection should include (a) physical measures, for example, locked filing cabinets and restricted access to offices; (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and (c) technological measures, for example, the use of passwords and encryption.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act” or “PIPEDA”)

Overview

The complainant subscribed to a service (the “Service”) from a telecommunications service provider (the “organization”), at which time he opened an account with the organization, using a unique email address. When he began receiving spam at this email address, he believed that either the organization had sold his personal information or another party had obtained it insidiously.

The organization performed an investigation and provided our Office with an extensive account of it, including details on the organization’s safeguarding measures in place. We also conducted our own technological analysis.

We concluded that there was no corroborative evidence to confirm the complainant’s allegations of either improper use of his email address by the organization or of a security breach, the latter either at the organization or at the third-party service provider that operates its data centre.

We thus determined that the matter was not well-founded.

Summary of Investigation

  1. The complainant alleged that the organization either sold his email address to spammers without his consent, or failed to protect his personal information from disclosure through inadequate safeguards.
  2. The complainant indicated that as is his practice, he created a unique email address on his own Internet domain when he signed up for the Service, and that he did not share this address with any other parties. 
  3. Sometime later, he started receiving spam email at this email address.  He believed that the organization was the root cause of this spam, due to either: (i) the organization having sold his email address or (ii) his email address having been leaked through a security breach.
  4. The complainant contacted the organization’s chief privacy officer. The organization responded to the complainant confirming: (i) that the organization had not sold his email address; (ii) that its systems are secure; (iii) that there had been no security issues or breaches and (iv) that the email address list is only shared internally.
  5. The complainant was unsatisfied with this outcome, alleging that the organization’s response was inadequate in that the organization failed to conduct a suitable investigation into his concerns given the evidence he had presented. He filed a complaint with our Office, which we accepted on April 25, 2013. 
  6. Our investigation established that the complainant had been a customer of the organization for decades, and at the time of our investigation, was still an Internet customer.
  7. When the complainant signed up for the Service, he created a unique email address for this account.
  8. The complainant reported that all the unique email addresses that he creates for himself have the same domain, and claimed that from his approximately 1000 addresses, only six have ever generated spam. Of these spam incidents, he stated, one was linked to a gaming website, others were from enterprises that went out of business and lost their domains, and some were generic email address prefixes common to most Web sites.
  9. The complainant contended that his unique email address with the organization is not detectable from a guess or from a dictionary attackFootnote 1, as he has addresses that would be more easily guessable, which have not received spam. Our Office does not share this particular view, as we believe that this type of email address could also be “guessable” in a dictionary attack.
  10. The complainant claimed that he never deleted email addresses that he created, and that he maintained a permanent archive for spam tracking.
  11. The complainant could not pinpoint exactly when he began receiving spam emails, but noted that they became enough of a nuisance that he contacted the organization in 2012 to complain.
  12. According to the complainant, over a period of four months in 2013, this particular email address received approximately 200 spam emails.
  13. Our investigation included an in-depth technological analysis of the information provided to us. We were able to confirm that once a spammer has found a valid domain (such as the one used by the complainant), numerous techniques are employed whereby potentially millions of emails are sent to variations of email account names, all ending with the same domain.
  14. The organization provided information to our Office outlining the course of its internal investigation into the complainant’s concerns.
  15. The organization confirmed that it had not identified any security issues or breaches of customer email addresses during the timeframe in question, and indicated how it records, stores and protects customer email addresses when an individual registers on its Web site.
  16. The organization explained how access to the Service is restricted and tracked (especially when dealing with customer communications via email), and how scanning ensures that the Web platform is secure and has not been compromised.
  17. The organization asserted that because the complainant acknowledged having used this domain to register for accounts with online gambling sites and sites that had been shut down for unknown reasons (including loss of domain validity), he had exposed the domain (as well as his personal computer) to potential scammers, spammers and malware risks.  The organization stated that visiting such sites could expose any data stored on his computer, including stored cookies and browsing history, which may have included the complainant’s email address at issue.
  18. The organization’s data centre is operated by a third-party service provider. We requested that the third-party service provider perform a detailed investigation into the matter. The organization responded and included the results of an investigation into the third-party service provider’s responsibilities for the operation of the data centre.
  19. Based on that submission, we determined that the security measures in use by the organization, including: the firewall, the use of reverse proxies and the separation of databases; all appear to indicate that it is very unlikely the complainant’s email address and personal information were stolen by an outside attacker. The organization also provided us with details on its SSL and encryption practices.
  20. Additionally, the third-party service provider’s security safeguards appear sound and appropriate for its responsibilities in managing the Service’s data centre. Further, the third-party service provider’s system access and database logs did not identify any unauthorized access attempts, excessive access attempts, or any unusual activity. 
  21. With regard to the complainant’s allegation that the organization had sold his email address, the organization asserted that only one group within the organization uses the customer contact email list, and that this group uses the list only for communicating with the Service. The organization explained that email addresses are not sold, and that personal information is shared internally for specified purposes, as outlined in its privacy policy. 
  22. Our Office reviewed the organization’s privacy communications.

Application

  1. In making our determinations, we applied Principles 4.5, 4.7, 4.7.1 and 4.7.3 of Schedule 1 of the Act. 
  2. Principle 4.5 states in part that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
  3. Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
  4. Principle 4.7.1 states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.
  5. Principle 4.7.3 states that the methods of protection should include (a) physical measures, for example, locked filing cabinets and restricted access to offices; (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and (c) technological measures, for example, the use of passwords and encryption.

Finding

  1. At issue in the first place is whether the organization disclosed the complainant’s personal information without his knowledge and consent, specifically, his email address to advertisers.
  2. Based on the evidence presented to us from both parties, we cannot conclude that the organization disclosed his email address as alleged. Consequently, Principle 4.5 has not been contravened.
  3. At issue in the second place is whether a security breach at the organization resulted in the complainant’s email address being leaked to another party and that the security safeguards in place were not adequate. Our view, based on all the evidence we obtained and carefully reviewed, including evidence stemming from our own technical analysis, is that there does not appear to have been any security breach or harvesting of the complainant’s personal information from the organization.
  4. There is no evidence that the complainant’s email address was somehow obtained from the organization or the third-party service provider by an outside attacker. There is also no evidence, and we deem it unlikely, that the complainant’s email address was improperly disclosed by an insider, either at the organization or the third-party service provider.
  5. Further, the organization and the third-party service provider have demonstrated that they employ security safeguards to protect the personal information of their customers. In our view, the workflows and security measures in place described by the organization appear adequate and appropriate for the Service’s operation. 
  6. Therefore, we do not find that there were contraventions of Principle 4.7, 4.7.1 or 4.7.3.

Conclusion

  1. Accordingly, we conclude that the matter is not well-founded.
Date modified: