Earlier today, I received the following email:
Creative Commons believes in open, frank, and prompt communication with our community, including our donors. We also take your privacy seriously. We are committed to responsibly guarding the personal information you share with us.
In keeping with these principles, we want to tell you about a situation that came to our attention very recently involving your personal information. In 2013, during a migration of files to GitHub, we mistakenly posted an electronic file in a public repository that contained some donor information. Specifically, the file included the names, addresses, email addresses, and donation amounts of about 2000 individuals who donated to Creative Commons between 2004-2007.
The file did not include any credit card or other financial information. When we learned about the problem earlier this week, we immediately and permanently removed it from GitHub. We have no reason to believe anyone other than the individual who called this to our attention found the data, or that anybody misused the data.
We deeply regret this mistake and apologize for its occurrence. If you have any questions about this incident or about CC's policies relating to collection, maintenance, and protection of your personal information, please contact email@example.com.
Thank you for continued support.
While I am normally happy to hear that a company is being proactive about notifying me about a privacy breach, this case makes me sad - primarily because I am "the individual who called this to their attention."
Early in the morning of April 30, I was doing a vanity search on Github. While most of the results were people who had included part of the Facebook API SDK I maintain in their repositories, I also found multiple search results leading to CSV files containing the aforementioned personal information ("names, addresses, email addresses, and donation amounts of about 2000 individuals who donated to Creative Commons between 2004-2007"). Clicking through to the repository containing these files, it looked like it contained a complete copy the Creative Commons website from some point in the past, and had been publicly available for some time.
Realizing that this was a problem, I immediately emailed Creative Commons to let them know about it. I am glad that they have taken care of this problem (by deleting the repository), but feel that there are other changes that they could and should make to ensure that a situation like this does not happen again.
Creative Commons' contact page does not state where to send information about security/privacy breaches, but I guessed that their Audit Committee would be a good choice. Unfortunately, there are two different email addresses listed for them on the contact page - the non-working firstname.lastname@example.org in a prominent position at the top of the page, and the actual address email@example.com hidden in the middle of a paragraph near the bottom of the page talking about financial impropriety, not privacy/security violations.
I was disappointed that I received no response from Creative Commons after sending my message. Because of this, I was unsure of whether they had received my email, whether they were still investigating the issue, or whether they had contacted the local District Attorney's office to have me prosecuted under the Computer Fraud and Abuse Act.
Since I had noticed that the repository had been deleted from Github, I assumed that my email had been successfully received, but had no way of knowing whether Creative Commons was planning on notifying the people whose personal information that they had made publicly available or was going to sweep everything under the rug.
While it is clear that this was an accident and a mistake, the email does not make it clear what steps Creative Commons took to establish that the information was not abused while it was available. Did they contact Github to see if there were logs about whether the repository had been cloned or otherwise accessed? Did they check the "Traffic" page on Github to see if others had linked or accessed the repository?
Creative Commons is a great organization whose goals I fully support. Increasing the information and transparency about how they plan to protect against future privacy breaches as well as resolve them when they do occur will only strengthen them.
Date: Sat, 10 May 2014 13:36:09 -0700
From: CC Legal <firstname.lastname@example.org>
Subject: CC followup on privacy incident
Thanks for your help in identifying this issue and for your related suggestions. You’re welcome to post this reply as an addendum to your blog post; we’ll also be posting it on the Hacker News thread.
We regret not replying to you promptly about what we were doing to resolve the issue, and to express our gratitude. That was our error, and we apologize. Our immediate focus was on locating the file you identified, confirming that no other files with sensitive information had been inadvertently uploaded, determining what information the file contained, and identifying and contacting affected donors. Thankfully, we were able to remove the file the same day you reported the incident. That was our highest priority.
We have since learned that our rapid deletion of the file limits our ability to access statistics about its use. We will share an update if we learn more about views or possible downloads.
As to your other suggestions, they are well taken and we will do better. Both emails for the audit committee on the contact page are functional but in order to avoid confusion, we removed one of them. We have also emphasized that email@example.com is the most appropriate portal for sending privacy-related concerns at this time.
Thanks again for calling this to our attention, and our apologies for not more quickly replying to you individually.