Earlier today, I received the following email:
Creative Commons believes in open, frank, and prompt communication with our community, including our donors. We also take your privacy seriously. We are committed to responsibly guarding the personal information you share with us.
In keeping with these principles, we want to tell you about a situation that came to our attention very recently involving your personal information. In 2013, during a migration of files to GitHub, we mistakenly posted an electronic file in a public repository that contained some donor information. Specifically, the file included the names, addresses, email addresses, and donation amounts of about 2000 individuals who donated to Creative Commons between 2004-2007.
The file did not include any credit card or other financial information. When we learned about the problem earlier this week, we immediately and permanently removed it from GitHub. We have no reason to believe anyone other than the individual who called this to our attention found the data, or that anybody misused the data.
We deeply regret this mistake and apologize for its occurrence. If you have any questions about this incident or about CC's policies relating to collection, maintenance, and protection of your personal information, please contact [email protected].
Thank you for continued support.
While I am normally happy to hear that a company is being proactive about notifying me about a privacy breach, this case makes me sad - primarily because I am "the individual who called this to their attention."
Early in the morning of April 30, I was doing a vanity search on Github. While most of the results were people who had included part of the Facebook API SDK I maintain in their repositories, I also found multiple search results leading to CSV files containing the aforementioned personal information ("names, addresses, email addresses, and donation amounts of about 2000 individuals who donated to Creative Commons between 2004-2007"). Clicking through to the repository containing these files, it looked like it contained a complete copy the Creative Commons website from some point in the past, and had been publicly available for some time.
Realizing that this was a problem, I immediately emailed Creative Commons to let them know about it. I am glad that they have taken care of this problem (by deleting the repository), but feel that there are other changes that they could and should make to ensure that a situation like this does not happen again.
Creative Commons' contact page does not state where to send information about security/privacy breaches, but I guessed that their Audit Committee would be a good choice. Unfortunately, there are two different email addresses listed for them on the contact page - the non-working [email protected] in a prominent position at the top of the page, and the actual address [email protected] hidden in the middle of a paragraph near the bottom of the page talking about financial impropriety, not privacy/security violations.
I was disappointed that I received no response from Creative Commons after sending my message. Because of this, I was unsure of whether they had received my email, whether they were still investigating the issue, or whether they had contacted the local District Attorney's office to have me prosecuted under the Computer Fraud and Abuse Act.
Since I had noticed that the repository had been deleted from Github, I assumed that my email had been successfully received, but had no way of knowing whether Creative Commons was planning on notifying the people whose personal information that they had made publicly available or was going to sweep everything under the rug.
While I was glad to receive any notification, it looks (based on the email address that the email was sent to) like only affected donors were emailed. In the event of a security breach by third parties, Creative Commons notes in their privacy policy that they will "post a reasonably prominent notice" on their website. It is unfortunate that a security breach that they created themselves is not deserving of such notice.
While it is clear that this was an accident and a mistake, the email does not make it clear what steps Creative Commons took to establish that the information was not abused while it was available. Did they contact Github to see if there were logs about whether the repository had been cloned or otherwise accessed? Did they check the "Traffic" page on Github to see if others had linked or accessed the repository?
More troubling, the email contains no information on how Creative Commons plans to prevent such an occurrence from happening in the future. Do they plan to run security audits before making new codebases public? Are they checking all of their databases to ensure that they are only keeping information "for so long as reasonably needed or required" as their privacy policy promises? Before "immediately and permanently removing" the repository, did they check for other sensitive information that could be contained in it?
Creative Commons is a great organization whose goals I fully support. Increasing the information and transparency about how they plan to protect against future privacy breaches as well as resolve them when they do occur will only strengthen them.
Date: Sat, 10 May 2014 13:36:09 -0700
From: CC Legal <[email protected]>
Subject: CC followup on privacy incident
Thanks for your help in identifying this issue and for your related suggestions. You’re welcome to post this reply as an addendum to your blog post; we’ll also be posting it on the Hacker News thread.
We regret not replying to you promptly about what we were doing to resolve the issue, and to express our gratitude. That was our error, and we apologize. Our immediate focus was on locating the file you identified, confirming that no other files with sensitive information had been inadvertently uploaded, determining what information the file contained, and identifying and contacting affected donors. Thankfully, we were able to remove the file the same day you reported the incident. That was our highest priority.
We have since learned that our rapid deletion of the file limits our ability to access statistics about its use. We will share an update if we learn more about views or possible downloads.
As to your other suggestions, they are well taken and we will do better. Both emails for the audit committee on the contact page are functional but in order to avoid confusion, we removed one of them. We have also emphasized that [email protected] is the most appropriate portal for sending privacy-related concerns at this time.
Thanks again for calling this to our attention, and our apologies for not more quickly replying to you individually.