---------- Forwarded message ---------- Date: Tue, 28 Feb 2006 15:54:41 -0600 From: "Chris Keating, Director Of CSI" <SC @ hdsmail.com> Reply-To: chriskeating @ cmp.com To: wk@........... Subject: Email from CSI last week [csi_letter_header2.jpg] Dear CSI Member, I'm writing to apologize for a mistake we made in an e-mail message you received from us last week. In the rest of this note, I will explain the mistake we made and why we believe it merits an apology (and an explanation). But since your time is valuable, let me summarize in my first paragraph that an error occurred, in which your name and address were inadvertently given to one other CSI member or potential event attendee. This was caused by a mail merge error, not any kind of breach of security, nor was your information generally broadcast or the mailing list as a whole exposed in any way. Though the inadvertent distribution was limited in scope, we still take it very seriously. To try to ensure there are no more such errors, we are taking the steps outlined below. If you have any questions about the error or our reaction, please read the paragraphs that follow and if you still have questions beyond this explanation, please don't hesitate to contact me at the address given below. The message we sent last week invited you to join us for an Editorial Perspective TechWebCast called Security: The Application Point of View. The invitation still stands--we'd love to have you join us and you can find out more by Clicking Here. In last week's letter, we made use of a feature we're rather proud of: to help speed the process if you decided to register for the event, the e-mail message included a pre-filled registration form. Obviously, what's supposed to be in the pre-filled form is information about you--information you've shared with us in the past such as your business mailing address and your telephone number. This information did not include traditionally sensitive categories of information such as credit card numbers or social security numbers. The data for the form is merged with the email message content as each message is sent out. In this particular mailing, the data used for the merge had been corrupted, such that each recipient record included in part certain data relating to another recipient. As a result, each form we emailed was incorrectly pre-filled with the information of a different individual in the database who was not the recipient of the message. The specific condition that caused the database error to occur on this occasion is being corrected. Additionally, we are examining the possibility of designing new code for the application that merges the data with e-mail messages to assist in addressing problems of this type. If these efforts and other efforts do not result in making us sufficiently confident in our ability to catch such errors, we plan to remove the pre-filled form feature from future mailings until we can achieve that level of confidence. Again, your information was released to only one other CSI member or potential event attendee and no credit card or information of similar sensitivity was involved. Even a small slip-up, though, doesn't show as much respect for the trust you've placed in us as we'd like. Please accept my apologies and my assurance that we consider your privacy an integral part of our success as a security organization. With best regards, Chris Keating, Director Computer Security Institute chriskeating @ cmp.com If you would prefer not to be contacted again about such events, please opt-out here. CMP Media LLC 600 Community Drive Manhasset, NY 11030 CMP Privacy Policy _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Wed Mar 01 2006 - 00:02:29 PST