|
Earlier today
both
Rick
Schwartz and Michael
Berkens wrote about an
unfortunate incident at Moniker.com
in which a customer of the popular registrar was
victimized by a Moniker employee who accessed confidential
personal identification data for a WhoIs
Privacy protected domain registered by the
customer, then used it against that customer by
sending the information to his employer.
|
|
I was made privy to the
details of this incident a few days ago
when the customer (a longtime friend
with a spotless reputation) told me what
happened in an off the record
conversation. No names have been
released thus far because it has been
his wish to give Moniker a chance to
resolve the problem and make changes
aimed at preventing similar
incidents in the future. |
|
Moniker's
first public comment on the issue came today
when Schwartz and Berkens received a brief
statement from the company shortly after
Schwartz published his post (the statement apparently did
not go out to all media outlets as I never
received it). According to their posts the
statement from Mason Cole, the VP for
Community & Industry Relations for Moniker
parent Oversee.net said: "Moniker
has learned that one of its employees violated
company policy by distributing customer data
for a single domain name registration. The
employee has been placed on administrative
leave while the company further reviews the
matter." "Only
one employee and one customer registration were
involved. However, unauthorized data
access of any kind, no matter how large or
small, is an issue taken very seriously by
Moniker and by its parent company, Oversee.net,
and is being addressed directly.” While
the customer understandably feels violated and
angry about the information being sent to his employer, it is
admirable that he is also focused on seeing
changes made that will help prevent such
incidents from harming any customer in the
future.
|
|
|
Upon
hearing his account the biggest
surprise to me was that this kind pf
private information was so easily
accessible to multiple registrar
employees who have no need to see such
sensitive data. I would have thought
that only a very limited number
of high level personnel could get
to this information which can normally
be released only through legal means
such as a UDRP filing on law enforcement
request.
When
you pay an extra fee for WhoIs Privacy
you have a right to expect that the
registrar is going |
|
to
take extra measures to insure
that data stays private. For a
quality registrar like Moniker that has
built their brand on security,
this has to be a major embarrassment.
However it should also serve as a
welcome wake up call to tighten
security and limit the circle that
has access to private information. That
goes for every registrar that
offers WhoIs Privacy services. |
The
ironic thing about this incident, based on
the parts of the account that I can share, is
that the employee in question attempted to harm
someone who actually had the employee's best interests at
heart. The customer registered a number of
domains that included an industry figure's name
followed by the word "Sucks",
including names of his own friends and
relatives. He said it was his intention to
keep those domains out of the hands of
others who would use them to attack those people
(a common defensive registration technique among
corporations today). When
the employee learned that someone registered
their name followed by "Sucks", the
employee then bypassed WhoIs Privacy protection
to find out who it was. Had the employee stopped
there no one would have been the wiser. However,
suffering from an inexplicable lapse of
judgment, the employee sent an email to the
customer's boss to complain about the
registrant. It is probably now safe to assume
that the registrant will not be sending the name
on to the employee as he originally intended.
|
