In Response to Data Breach, Cracked.com Changes Privacy Policy
FOR IMMEDIATE RELEASE: January 14, 2008Media Contact: Aaron Titus
(202) 669-2969
NEW YORK, New York. In early October, 2007, the Liberty Coalition discovered a file containing what appears to be the names, genders, dates of birth, salary information, e-mail addresses, t-shirt sizes, and contact information for approximately 1,010 Cracked.com subscribers. The file was available to the online public, and was not password-protected, encrypted, behind a firewall, nor required authentication to access. The exposure contradicted Cracked.com's already weak Privacy Policy,
"We use commercially reasonable efforts to safeguard and secure your personal information while stored on our computer systems. We use a variety of industry standard security measures, including encryption and authentication tools, to maintain the confidentiality of your personal information. Your personal information is stored behind industry standard firewalls and is only accessible by a limited number of persons who are authorized to access such systems, and are required to keep the information confidential." (Accessed 11 October 2007)However, presumably in response to this breach, Cracked.com has since changed its privacy policy to disclaim all responsibility for exposing customer data:
"We have physical, electronic, and managerial procedures to help safeguard, prevent unauthorized access, maintain data security, and correctly use your information. HOWEVER, WE DO NOT GUARANTEE SECURITY. Neither people nor security systems are foolproof, including encryption systems. In addition, people can commit intentional crimes, make mistakes or fail to follow policies. If applicable law imposes any non-disclaimable duty (if any), you agree that the standard used to measure our compliance with that duty will be one of intentional misconduct."Translation: "We screwed up, and we're not going to take any responsibility for it unless you sue us. You're on your own if we put you at risk."
By the time the file was discovered, it had already been removed from cracked.com, but continued to be available through Google's cache. Cracked.com was notified of the breach, and they subsequently changed their privacy policy.
Individuals affected by this exposure should immediately visit www.nationalidwatch.org and search for their names, to confirm what types of personal information were exposed. NationalIDWatch.org has a list of recommended steps victims should take.
About NationalIDWatch.org
National ID Watch is a search engine for personal information breaches. Sponsored by the Washington, DC non-profit Liberty Coalition, NationalIDWatch.org provides more than a million free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.