Another kind of email breach

In all the recent discussions of email address thievery I’ve not seen anyone mention stealing addresses by abusing the legal system. And, yet, there’s at least one ambulance chasing lawyer that’s using email addresses that were never given to him by the recipients. Even worse, when asked about it he said that the courts told him he could use the email address and that we recipients had no recourse.
I’m not sure the spammer is necessarily wrong, but it’s a frustrating situation for both the recipient and the company that had their address list stolen.
A few years ago, law firm of Bursor and Fisher filed a host of class action lawsuits against various wireless carriers, including AT&T. At one point during the AT&T lawsuit the judge ruled that AT&T turn over their customer list, including email addresses, to Bursor and Fisher. Bursor and Fisher were then to send notices to all the AT&T subscribers notifying them of the suit.
This is not unreasonable. Contacting consumers by email to notify them of legal action makes a certain amount of sense.
But then Bursor and Fisher took it a step further. They looked at all these valid email addresses and decided they could use this for their own purposes. They started mailing advertisements to the AT&T wireless list.

Spam to my AT&T address from Bursor and Fisher
I received one of these emails back in January. I was concerned that my information, including credit card had been leaked so I contacted Mr. Fisher by phone to ask him about the source of the email addresses.
 
On the call Mr. Fisher told me a number of things. One, that it was not spam I received because I could always opt-out. When I pointed out the email was unsolicited he said that he disagreed with me.
When I asked about how this wasn’t a violation of my agreement with AT&T he asserted that he was not a party to that agreement and therefore could do anything he wanted with my email address. He also informed me that I had no recourse.
Mr. Fisher also told me that he had a court order that allowed him to use the AT&T customer database however he pleased. He declined to send me a copy of the court order, however, because he didn’t want to me to call him a spammer again.
From what he told me and piecing together information I found online, this is my best understanding of what happened. A few years before I received mail for the myspace class action, he used the AT&T database to shop around another suit against AT&T. AT&T was justifiably upset by this and took him to court. The judge ruled in his favor. I’ve tried to find a copy of this ruling, but it appears many state court rulings aren’t published. Lawyer friends have even looked for me, but no one can find such a ruling.
It is, of course, completely possible that the lawyer doesn’t have said ruling and that’s why he declined to email it to me. Or it’s possible he does have a ruling and I just can’t find it.
In any case, the AT&T customer database from a few years ago is in the hands of a spammer who believes it is his right to use that database however he wants. His acquisition of the list was clearly legal, and his use of the list may be legal as well. But I am still uncomfortable with the concept that judges can force a company to turn over my personal information to spammers.
As an aside, I sent a letter to the judge who ruled that AT&T must hand over their list to Bursor and Fisher. I also contacted AT&T through their privacy address and through one of my personal contacts. To date, no one has followed up with me.

Related Posts

You've got to be kidding me

Earlier this week I received an email to a work address I retired 4 or 5 years ago. The from and subject lines alone were enough to make me laugh and decide I had to blog about this particular spammer.

Read More

Spammers, eh?

From my inbox, missed by the spamfilter:

Do you know people who have worked a lot or could not find a job for a long time and suddenly began to earn well, gain valuable items and look better?
We can reveal to you their secret.
Anyone who bought a diploma from us raised their standard of living in half!
Our diplomas are verified and credible. We offer expert help in selection of the right option and a short waiting time.
Don’t look at other – DO YOUR OWN SUCCESS!
—–
+ 1 – 646 – 555 – 1212
—–
We need your infarmation:
1) Your Name
2) Your Country
3) Telephone No. with a code of country if you are outside USA
Do Not Reply to this Email.
We do not reply to text inquiries, and our server will reject all response traffic.
We apologize for any inconvenience this may have caused you.
This is not a spam
If you don’t want to receive this message to your e-mail, call this number and refuse it – spell your e-mail

Read More

Security framework document published

The Online Trust Alliance has published a security framework for ESPs.
Overall, I think it’s a useful starting point. I don’t agree with all of their suggestions. Some of them are expensive and provide little increase in security. While others decrease security, like the suggestion to force regular password changes.
I think the most important part of the document is the question section. The key to effective security measures is understanding threats. Answering the self assessment questions and thinking about internal processes will help identify potential threats and their vectors.
The document is not a panacea, and even companies that implement all of their recommendations will still be open to attacks from other avenues. But it certainly is a very good way to open the security discussion.

Read More