Ghostery, a privacy and security-related browser extension and mobile browser application, breached the newly introduced European Union GDPR Data Privacy legislation with the email it distributed to it’s users to advise them of changes in Data Privacy under the new legislation.
All of the email addresses included in the mailshot were listed in the CCed field make them freely available to the public. Representatives for Ghostery said: “Unfortunately, due to a technical issue between us and the email sending tool we chose, the GDPR email, which was supposed to be a single email to each recipient was instead sent to a batch of users, accidentally revealing the email addresses for each batch to all recipients of a batch by adding everybody directly in the ‘To’ field”.
They added: “We sincerely apologize for this incident. We are horrified and embarrassed that this happened, and are doing our best to make sure it never happens again.”
The company sent out notices, in batches of 500 users, boasting of its privacy standards on the day that GDPR took effect. The email arrived in inboxes with the subject line “Happy GDPR Day — We’ve got you covered!” We at Ghostery hold ourselves to a high standard when it comes to users’ privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation.”
“Why didn’t Ghostery send a test email first to a dozen real users, to ascertain that all is correct, before sending to a larger trial party and, only then, send its large-scale GDPR email blast,” said Kolochenko. “I hope Ghostery will make the necessary conclusions and undertake the necessary measures to revise and enhance their internal processes, including data breach notification procedure.”
Ghostery is reported the incident as required under GDPR,. The email is no longer being distributed.
The company finished by saying: “Furthermore, while this was an error with update emails that all account holders will continue to receive (e.g., when we’re legally required), we are providing clear instructions on how to opt out of future Ghostery product and marketing emails or delete an account for those who wish to do so, as well as permanently expunging any user data upon request. If you prefer to not receive these updates you may delete your account.”