SparkLIST Questions Highlight Web Security Woes

A number of email newsletter publishers are complaining that someone is spamming their proprietary email lists — raising the question of how secure any data really can be in the hands of a third-party vendor.

The emails in question seem to be have originated from one or more mailers operating out of Raleigh, N.C., known in anti-spam circles as the “North Carolina Spam Gang.” It is not known how the group obtained the lists; calls to its suspected leader were not returned by press time.

The lists had been maintained by SparkLIST.com, an email services provider that was acquired in August by Berkeley, Calif.-based Lyris Technologies, which had previously only owned a stake in the company. According to sources close to the firms, only a handful of SparkLIST’s original, Milwaukee, Wis.-based staffers were retained through the merger.

Lyris, which services clients including Disney, NBC and other firms, had provided the technology powering SparkLIST’s ASP. Jupitermedia, the parent company of internetnews.com, is also a SparkLIST customer.

Speaking with internetnews.com, company officials suggested whatever breach had occurred had taken place in August, before Lyris fully had taken over control of SparkLIST’s operations.

“Some of the spam was sent prior to the transition of technology to California,” Lyris Chief Operating Officer Steven Brown said. “That makes the investigation a little more complicated. We’re dealing with an infrastructure and an employee base that is not entirely our own.”

On Friday, SparkLIST issued a statement to customers acknowledging the breach publicly for the first time.

“I’m taking this issue very seriously, and I’ve been in contact with all the customers that have raised their hands about this,” Brown said. “If other clients come forward with spam … I will look at it immediately.”

Brown added that the company is conducting an internal inquiry while also retaining an outside security consultant, Word to the Wise.

A number of newsletter publishers affected by the spam were smaller, independent businesses involved in the online marketing arena, who suspected something was amiss when subscribers began reporting that spam had come to addresses used only for the newsletters.

Andy Sernovitz, chief executive at New York-based GasPedal Ventures — one of the email marketing consultancies affected — said he received dozens of complaints from subscribers.

Yet in spite of the apparent misappropriation of data — regardless of how it happened — Semovitz and others agree that such occurrences are almost a cost of playing the Internet business game.

“Hacking is something that happens — people understand it happens — but the real issue is how a company responds,” Sernovitz said.

Even email service bureaus agree.

“Security is an ongoing battle, and we have a company monitor our security daily,” said Michael Mayor, NetCreations’ president. “It’s an evolving process — you can’t just leave it alone and walk away and think it’ll be okay forever. The hackers get better and better at it. You have to be serious about your investment in security and think of it long-term.”

“There are people out there who want access to your address, and they’re very creative and diligent people,” he added. “You just have to know it’s a problem, and follow-through with addressing it.”

While SparkLIST did not comment on this story, the company’s site says its servers are “specifically insulated against hackers for an added peace of mind.”

Often, email list managers and mailers rely on a number of security procedures, ranging from changing user IDs and passwords often, ensuring that only a limited number of qualified personnel have access to client data, and making certain that terminated employees’ access is revoked.

“There’s architectural implementation issues as well,” said John Matthew, vice president of operations at Bigfoot Interactive. “The database should be isolated, in a sense, from the Internet. Our database is not accessible to the outside world — all access is only through APIs that we have internally. That’s the only method to get to the database.”

Steven Gittleson, vice president of technology at NetCreations, said his firm encrypts emails in its database and prohibits a user of its list management and distribution application from actually viewing email addresses.

“We never, ever, return email addresses to a user that’s in the application,” he said. “A user, who’s been authenticated twice, in our [internal] network and in the application … will never be able to [see] actual email addresses in the lists — only information about the lists.”

Gittleson also said the company keeps emails in an off-site, secure data center.

But even such efforts aren’t always sure-fire, which is why a number of vendors use processes like audit trails.

“Every [database] action is logged: the user, the date, as well as the action,” Matthews said. “So if there is any kind of compromise, we could go back to determine the user ID that initiated that action, and when that occurred. So, we could limit the impact [of a security breach] just by viewing the audit trail.”

NetCreations also uses Riptech, a unit of Symantec , to monitor its systems for hacker intrusion. Similarly to audit trails, monitoring doesn’t necessarily prohibit data loss, but instead relies on reviews of the system to learn quickly about any sort of attempt to breach it.

Lyris’ Brown said that the company had beefed up SparkLIST’s security after the merger.

“We made some changes to the SparkLIST network since the acquisition, including reformatting all of SparkLIST’s hard drives with new operating systems, removing all operating system passwords, and upgrading the SparkLIST servers to the latest version of our hosting software,” he said. “I’m very confident of the security of our network. I can’t comment on the security prior to the acquisition.”

One of the major hurdles that the average email recipient faces is that some companies — both vendors and clients — don’t take privacy as seriously as they ought, say players in the space.

“I don’t know if people are taking it as seriously as they should,” Mayor said. “If it’s done though a third party, or if someone doing their own hosting, I don’t know if it’s something you can’t take too seriously. [Vendors] need to understand that security is a necessary part of your expenses here, and you have to include that into your operating expense … If you don’t make an ongoing commitment to do that you’re not going to have that asset for much longer.”

“It raises a lot of issues, and I think that people that are looking for an email provider or service bureau should really be asking these questions — how secure is it, what are you doing and what is your ongoing action plan to protect your lists?” he added. “Those are obvious question for some people, but not for others.”

Some said that a few marketers, on the other hand, are becoming increasingly savvy about the issue. Bigfoot Interactive spokespeople said that a number of incoming RFPs that it’s seen have shown a growing sophistication in asking about the thoroughness of its data security measures.

Matthew also said that increasing customer demand for tight data policies are also prompted by ballooning email marketing by financial services and other industries in which data collection, sharing and security are heavily regulated.