VeriSign sends customer list to thousands

Early this week, Network Solutions Inc sent an email to every customer who is listed as a registrant of a .org domain name. A subset of these emails, thousands of emails in total, each weighing in at 2MB, alphabetically listed about 87,000 customer email addresses.

We will apologize to our customers. We regret that it happened, VeriSign spokesperson Pat Burns said. He said that a few thousand people received the mail, which may have been sent due to human error. The company is investigating the incident.

Every one of NSI’s .org registrants whose email address begins in the letter R or above was affected. Burns said that those with addresses starting with A through Q were not affected. Customers of other registrars were not affected. While the data is freely available on a query basis via one of many Whois services, the data is not normally available in bulk. VeriSign is actually permitted under its registrar contract to sell its customer lists for up to $10,000.

But the slip up is more of a concern from an image perspective. VeriSign, which uses the catchphrase The Value Of Trust to market its security services, recently re-launched the NSI brand, some say partially to distance itself from the frequently controversial registrar business.

Sam Patterson, CEO of ComponentSource Inc, was one of the email’s recipients. He said: It instantly makes you worry about security. As a customer, that this came from one of the leaders in security and digital signatures… it’s a worry.

Ernst & Young’s director of security services Mark Doll, co-author of executive security handbook Defending The Digital Frontier said: Some of the biggest branding blunders have been accidental releases of information. With spam as high as it is, releasing this kind of email can only hurt.

Co-author Jose Granado added: I equate this with somebody falling asleep at the wheel. Under forthcoming California legislation, companies will be obliged to disclose to customers that their data has been compromised, he added.

The snafu came just days before VeriSign’s registry division hands over control of the .org domain to Public Internet Registry, an Internet Society affiliate. The transition is due this weekend, and NSI was attempting to inform customers of a service blip.

A spokesperson for Afilias Ltd, which is handling the technical back-end for PIR when it takes over .org on January 25, said: The registrar sent the email, not the registry, so Afilias and PIR are not involved.

The NSI registrar is the customer-facing retail arm of VeriSign’s domain name business. The VeriSign registry manages the database that matches .com and .net domains to IP addresses. The two businesses are technically and logically separate entities.

ComponentSource’s Patterson said that he probably will not switch registrars as a result of the glitch. He added: From what I can tell it was only contact info. If it had been credit card numbers, it would be a different story.

Source: Computerwire

Sign up for our regular news round-up!

Give your business an edge with our leading Tech Monitor

Sign up