"CueCat" users' information let out of the bag
In the race to turn consumers on to digital scanners, DigitalConvergence stumbles on a security breach that leaves its members' names and email addresses vulnerable to unsolicited email.
The security breach came just weeks after the company, along with major magazines such as Forbes, started shipping hundreds of thousands of cat-shaped, mouse-sized scanners and its CD-ROM software companion to consumers. RadioShack, one of the company's major partners, also began handing out the scanners, called CueCats, to customers in the United States.
Consumers can use the devices to scan codes within articles or advertisements and be linked to related Web sites.
The software, which works along with the scanners, will not work unless new members register with DigitalConvergence. About 140,000 people who signed up through the company's Web site instead of using the CD-ROM software were exposed to the breach Friday. Those affected represented a little less than half of DigitalConvergence's new members.
"For the people that registered via our Web site...a hacker exploited a known error in the data script and was able to look into the data file," said Dave Mathews, vice president of new product development at Dallas-based DigitalConvergence. "From there, they could extrapolate the name, email address, age range, gender and Zip code of new members."
But Mathews said the hacker was not able to gather any information about where members went on the Web or about the ads they scanned with the CueCats.
The privacy breach joins a laundry list of similar incidents in the past month. Just last week, beauty e-tailer Eve.com temporarily shuttered its site after it found a flaw in the way its Web site addresses are constructed, exposing thousands of customer names and addresses. A week before, furniture giant IKEA shut down its catalog order site after a breach exposed customer order information. And a glitch at bookseller Amazon.com exposed the email addresses of many of its Affiliate members.
DigitalConvergence found out about the security vulnerability from watchdog Web site Securitywatch.com on Friday. DigitalConvergence immediately shut down that part of the site and moved the information to a secure internal network, Mathews said.
In an email sent yesterday to all those affected by the incident, DigitalConvergence tried to reassure its new members that it was taking steps to secure their personal information.
"As a result of this breach, unauthorized third parties may have been able to gather your name and email address," the email read. "You may receive unsolicited emails (a.k.a. spam) from unrecognized sources."
As consolation for their apparent aggravation, members were also informed in the email that the company would be offering them a $10 gift certificate to RadioShack.
But one new member who received the alert from DigitalConvergence is worried about more than his email address.
"I haven't yet received any spam from this breach that I know of, but I'm more concerned that I gave (DigitalConvergence) my credit card number to order a CueCat through the mail," a Belmont, Calif., resident who was apparently affected by the breach said in an email.
Although the CueCats and software are free to anyone who wants one, consumers who order one through the company's Web site have to pay about $10 for shipping and handling. This member said the email sent by the company did not reassure him about the safety of his credit card number.
But DigitalConvergence said the card numbers are processed through a secure area on the site, separate from the area that was vulnerable.
"Also, I'm more annoyed that they offered a gift certificate--something I would expect for an inconvenience or annoyance, not a major error on their part where they actually broke the trust of the privacy agreement," the member said.