Is it Bad When Security Companies Leak Data? You Betcha…

This morning being The Dawning of the Age of GDPR (the European Union’s new regulations regarding privacy and data retention by businesses) I was glad to get an early start into all of the emails requiring my assent for them to keep sending me “stuff”, (I hope that about 80% take me off their email lists, but that’s another for another post).  I did, however, decide I wanted to read the latest white paper on Cyber Security from well-known Security and Compliance services firm AlienVault.  Oops…

Imagine my surprise when, after clicking on the new GDPR-mandated website box saying that yes, I know they’ll keep my data and relentlessly spam and call me, their marketing system popped open a new screen that dropped me into their SalesForce interface and started spewing 1,000+ emails of their clients and prospects from the system.  There’s no telling if this error was caused by SalesForce, the marketing automation platform Marketo, or just bad coding on the part of AlienVault employees, as all three company platforms were exposed in the code and data dump that took place. It should be noted that this wasn’t a web page that acted up and started showing its source code, it opened up an unencrypted form on the AlienVault web site that appeared to allow queries and posting to their SalesForce leads database via Marketo. I did not query their system for any information, the long, long list of emails were already displayed on the page. While I understand that “stuff” happens, for a security company to have such an egregious issue on the very first day of heightened regulation looks bad.

For the record, we do not use AlienVault (or any of the other companies mentioned above) in our service offerings.