Compaq cockup exposes customer details

Compaq has blamed "human error" for the mistake that exposed thousands of its Presario customers' email addresses by including them all in the 'to' field of a mass mailout. Some 2,900 email addresses were involved.

Labelled "ridiculous" by security experts, the embarrassing blunder may be investigated by the Information Commission as a breach of the UK's Data Protection Act, even though Compaq insists no other customer data has been exposed.

Eva-Maria Bieda, PR manager at Compaq EMEA, said: "Compaq regrets that every customer who had registered for a Microsoft Windows XP upgrade received an email yesterday [Monday 19 November] where all email addresses were fully visible.

"However, we can ensure that no other sensitive data of the order process is accessible to others. Compaq takes this incident very seriously and is working with its suppliers to ensure the safety of data in the future. We will also follow up with our customers to explain the situation to them."

Terry Scerri, director of Compaq's Access Business Group, EMEA, said the website and subsequent email was not produced in-house and blamed "human error" by one of its suppliers for the rogue mass email.

The firm refused to name the errant supplier or comment on why the email sender was labelled 'Wisdom IT' in the in-box of some recipients.

Jonathan Bamford, assistant commissioner at the Information Commission, told VNU News Net: "We would look into any complaint brought by individuals on the list of recipients who felt their privacy had been breached."

Asked about the Data Protection Act, Scerri said: "I have no comment to make on that. We're still investigating the details with our supplier and our in-house legal team."

Bamford added: "It doesn't matter if Compaq used a contractor, the data is still owned by Compaq so they are the data controller and they are legally liable."

Customers, already furious over being kept waiting for a month for their free upgrade to Windows XP, said they couldn't believe what had happened.

"I give up, what a complete fiasco," said Andrew Cleland, who bought a Compaq Presario 5146EA from PC World early in October.

"It seems ironic that the footer should say 'The contents of this email are confidential to the intended recipient at the email address to which it has been sent. It may not be disclosed or used by anyone other than the addressee nor may it be copied in any way'."

Experts said the matter was a nightmare for Compaq.

"What dreadful PR," said Alex Barnett, chief operating officer at web design firm Bluewave. "It looks like the kind of mistake that involves a manual process or a shoddily-written in-house application. But whatever system they're using, the golden rule is that this can't happen."

"This is now potentially very embarrassing for Compaq," said Neil Barrett, security consultant at Information Risk Management. "There is a clear link between email and the individual, and it is a possible breach of the Data Protection Act."

"This is ridiculous," agreed Mark Read, network security analyst at MIS-CDS. "Leaving aside the security aspect, it is effectively like giving away your customer database, and my immediate concern is whether there is a spammer on the list. That's a valuable chunk of information."

Read also pointed out that many of the intended recipients of the email may not learn of the blunder until Compaq contacts them to apologise.

"Customers using business email addresses may have had the message blocked at the corporate firewall because of the sheer number of names in the header," he said.