X

Butterball's data security for the birds

Butterball is the latest in a string of companies to expose consumers' personal data through its Web site.

3 min read
You might not want the world to know that you signed up for the Butterball company's Turkey Mail electronic newsletter. But even if you don't mind that, most likely you don't want the world to know your gender, marital status, and email address.

But Butterball is the latest in a string of companies to expose consumers' personal data through its Web site.

People interested in getting recipes and turkey cooking tips signed up for Butterball's "Turkey Mail" newsletter by filling out an online form that asked for demographic information as well as cooking preferences. Butterball accidentally published the information to a publicly accessible Web page.

The privacy breach is the latest in a series of security lapses that have involved companies such as Nissan, AT&T, Seagate, and Yahoo.

Butterball, which was tipped off to the security breach by a phone call from CNET News.com, has removed the personal data, a company spokesperson said.

"Butterball highly respects the privacy rights of every newsletter subscriber. When this informational loophole was discovered, we responded quickly and responsibly by immediately securing subscribers' names and addresses as was always intended," the spokeswoman said in an email message to CNET News.com. "Site visitors can now be completely assured that all information provided will be protected."

With the data on the Butterball site, a user could find out that 30 percent of newsletter subscribers are 40 or older, or that 703 single mothers signed up for the newsletter--about 10 percent of the total number of subscribers.

Perhaps more upsetting to consumers, the data can be used to track down individuals. Using directory lookups such as AnyWho or InfoSpace, the email addresses and cities of residence provided by the data can be used to find people's names, street addresses, and phone numbers.

Annapolis, Maryland, resident Theo McCormick discovered the breach last week. After reading reports of previous email exposures, McCormick searched the Web using HotBot for his own email address but didn't find it listed anywhere. He then tried his wife's address and found the Butterball data.

McCormick, who works for a pharmaceutical firm, suggested that the data might be useful to other poultry companies. He said he was "shocked, surprised, and a little disappointed that the Webmaster can't have security measures to protect their own information, much less customers' information."

Tara Lemmey, president of the San Francisco-based Electronic Frontier Foundation, said Net users should expect more privacy breaches to become public in the near future, as more and more people start to look for them. Lemmey said the problem stems from companies that want to set up systems for collecting data without focusing on guaranteeing the security of that data.

"They're not looking at the whole system and they have to," Lemmey said.

Lemmey advised consumers to notify organizations like Truste and BBBOnline when their members expose private information. For companies such as Butterball, which are not members of either privacy governing organization, consumers should alert the companies directly and ask them to audit their security practices.

But Jason Catlett, president of the privacy rights organization Junkbusters, said that simply notifying companies and organizations like Truste is not enough. He said new laws are needed to govern privacy.

"There should be an expectation that information that you give to a Web site is not disclosed to others without your consent," Catlett said. "That covers accidental disclosure and intentional disclosure."