SparkLIST Questions Highlight Web Security Woes

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
A number of e-mail newsletter publishers are complaining that someone is spamming their proprietarye-mail lists -- raising the question of how secure any data really can be in the hands of a third-partyvendor.

The e-mails in question seem to be have originated from one or more mailers operating out ofRaleigh, N.C., known in anti-spam circles as the "North Carolina Spam Gang." It is not known how thegroup obtained the lists; calls to its suspected leader were not returned by press time.

The lists had been maintained by SparkLIST.com, an e-mail services provider that was acquired inAugust by Berkeley, Calif.-based Lyris Technologies, which had previously only owned a stake in thecompany. According to sources close to the firms, only a handful of SparkLIST's original, Milwaukee,Wis.-based staffers were retained through the merger.

Lyris, which services clients including Disney, NBC and other firms, had provided the technologypowering SparkLIST's ASP. Jupitermedia, the parent company of internetnews.com, is also a SparkLISTcustomer.

Speaking with internetnews.com, company officials suggested whatever breach had occurred hadtaken place in August, before Lyris fully had taken over control of SparkLIST's operations.

"Some of the spam was sent prior to the transition of technology to California," Lyris ChiefOperating Officer Steven Brown said. "That makes the investigation a little more complicated. We'redealing with an infrastructure and an employee base that is not entirely our own."

On Friday, SparkLIST issued a statement to customers acknowledging the breach publicly for the firsttime.

"I'm taking this issue very seriously, and I've been in contact with all the customers that haveraised their hands about this," Brown said. "If other clients come forward with spam ... I will lookat it immediately."

Brown added that the company is conducting an internal inquiry while also retaining an outsidesecurity consultant, Word to the Wise.

A number of newsletter publishers affected by the spam were smaller, independent businesses involvedin the online marketing arena, who suspected something was amiss when subscribers began reporting thatspam had come to addresses used only for the newsletters.

Andy Sernovitz, chief executive at New York-based GasPedal Ventures -- one of the e-mail marketingconsultancies affected -- said he received dozens of complaints from subscribers.

Yet in spite of the apparent misappropriation of data -- regardless of how it happened -- Semovitzand others agree that such occurrences are almost a cost of playing the Internet business game.

"Hacking is something that happens -- people understand it happens -- but the real issue is how acompany responds," Sernovitz said.

Even e-mail service bureaus agree.

"Security is an ongoing battle, and we have a company monitor our security daily," said MichaelMayor, NetCreations' president. "It's an evolving process -- you can't just leave it alone and walkaway and think it'll be okay forever. The hackers get better and better at it. You have to be seriousabout your investment in security and think of it long-term."

"There are people out there who want access to your address, and they're very creative and diligentpeople," he added. "You just have to know it's a problem, and follow-through with addressing it."

While SparkLIST did not comment on this story, the company's site says its servers are "specificallyinsulated against hackers for an added peace of mind."

Often, e-mail list managers and mailers rely on a number of security procedures, ranging fromchanging user IDs and passwords often, ensuring that only a limited number of qualified personnel haveaccess to client data, and making certain that terminated employees' access is revoked.

"There's architectural implementation issues as well," said John Matthew, vice president ofoperations at Bigfoot Interactive. "The database should be isolated, in a sense, from the Internet.Our database is not accessible to the outside world -- all access is only through APIs that we haveinternally. That's the only method to get to the database."

Steven Gittleson, vice president of technology at NetCreations, said his firm encrypts e-mails inits database and prohibits a user of its list management and distribution application fromactually viewing e-mail addresses.

"We never, ever, return e-mail addresses to a user that's in the application," he said. "A user,who's been authenticated twice, in our [internal] network and in the application ... will neverbe able to [see] actual e-mail addresses in the lists -- only information about the lists."

Gittleson also said the company keeps e-mails in an off-site, secure data center.

But even such efforts aren't always sure-fire, which is why a number of vendors use processes likeaudit trails.

"Every [database] action is logged: the user, the date, as well as the action," Matthewssaid. "So if there is any kind of compromise, we could go back to determine the user ID that initiatedthat action, and when that occurred. So, we could limit the impact [of a security breach] justby viewing the audit trail."

NetCreations also uses Riptech, a unit of Symantec , to monitor its systems forhacker intrusion. Similarly to audit trails, monitoring doesn't necessarily prohibit data loss, butinstead relies on reviews of the system to learn quickly about any sort of attempt to breach it.

Lyris' Brown said that the company had beefed up SparkLIST's security after the merger.

"We made some changes to the SparkLIST network since the acquisition, including reformatting all ofSparkLIST's hard drives with new operating systems, removing all operating system passwords, andupgrading the SparkLIST servers to the latest version of our hosting software," he said. "I'm veryconfident of the security of our network. I can't comment on the security prior to the acquisition."

One of the major hurdles that the average e-mail recipient faces is that some companies -- bothvendors and clients -- don't take privacy as seriously as they ought, say players in the space.

"I don't know if people are taking it as seriously as they should," Mayor said. "If it's donethough a third party, or if someone doing their own hosting, I don't know if it's something you can'ttake too seriously. [Vendors] need to understand that security is a necessary part of yourexpenses here, and you have to include that into your operating expense ... If you don't make anongoing commitment to do that you're not going to have that asset for much longer."

"It raises a lot of issues, and I think that people that are looking for an e-mail provider orservice bureau should really be asking these questions -- how secure is it, what are you doing and whatis your ongoing action plan to protect your lists?" he added. "Those are obvious question for somepeople, but not for others."

Some said that a few marketers, on the other hand, are becoming increasingly savvy about the issue.Bigfoot Interactive spokespeople said that a number of incoming RFPs that it's seen have shown agrowing sophistication in asking about the thoroughness of its data security measures.

Matthew also said that increasing customer demand for tight data policies are also prompted byballooning e-mail marketing by financial services and other industries in which data collection,sharing and security are heavily regulated.

Submit a Comment

Loading Comments...