Care2 is a social network website that was founded by Randy Paynter in 1998 to help connect activists from around the world. Over the holiday’s they fell victim to the latest breach and loss of information we’ve seen almost daily in the online industry. Like many breached companies, Care2.com sent out a notice to its user base notifying the users that the hackers were able to access login information for Care2 member accounts and how their team has worked to secure Care2.com against this type of attack from recurring in the future.
You can read more details here about the breach and notice here: If it’s Friday, it’s time to reset almost 18 million passwords?
My wife Jennifer received one of these breach notices to her personal email account and immediately notified me about the breach, but more interestingly asked me who care2.com was and why she received this notice. She’s never done business with them nor never signed a petition (not her way of doing things) with them or one of their customers.
I began to look further into it by “resetting” the password on the username (email) account that was sent the notice. When we finally got logged in we were surprised to see that an account did really exist for her. However, there was no PII in the account and it only has her name as First.Last initial (Jennifer.D) and email address. I did send an email support request asking about the account and where it came from, but no response has been seen. Maybe they are busy with the breach or maybe they can’t explain how the account got there? Why do I say that?
Well as we look further into this we found out that Jennifer has NEVER been to their site and NEVER has signed a petition as mentioned above, but they created a account with her email address anyways. Did they buy an email list? I’m thinking so. If we’ve never been to your site then how do you have her email address? This article explains more: Update on Care2 breach: how to delete the account(s) you didn’t know you had.
Overall, I can say how disappointed we are not in the fact Care2.com was breached, but that they used Jennifer’s PII (especially creating an account for her) without her permission!!!! What bad data governance rules you have Care2.com. Jennifer was NEVER asked or notified that you created an account. Why did you do that? possibly to fluff your membership numbers up? maybe hoping to eventually email her and get her to notice and use the account? no idea, but wow.
What gall! I’m betting on bad decision by an overzealous CMO to fluffy their numbers up.
Anyways, my point here folks is this. You and your company should ALWAYS practice the Fair Information Practice Principles which are five core principles of privacy protection that represent widely-accepted concepts concerning fair information practice in an electronic marketplace.
- Notice/Awareness
- Choice/Consent
- Access/Participation
- Integrity/Security
- Enforcement/Redress
The Fair Information Practices Principles form the backbone of privacy law  and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information and the success of your business in the future.
I can say for fact that because of this breach of TRUST that we won’t be doing any business with care2.com at all.
-Dennis
Eloqua
Don’t Just Send, Deliver!
