Re: Who should i contact?

[<screwedbytaxes () hushmail com>]

Answers to clarify the situation:

# It's not H&R Block.

# I have checked the privacy policy and they explicitly assert that 
they will never share the email address for **any** reason with 
**any** party. Email address is to be used ONLY for filing taxes.

# The system that was used for taxes was specifically built for 
that specific tax season, and it was wiped (zeroes) and rebuilt two 
weeks later. It was not used for any other applications. It never 
saw ANY other networking or websites than simply filing taxes. Data 
was burned to disk afterwards and remains stored in a safe. This 
computer sat behind a firewall in a DMZ blocked even from the rest 
of the network. IIRC, this was also THREE years ago, and Bagle has 
only been around about two.

# While the addresses are not "random-proof", please explain how 
else these FOUR email addresses were specifically "randomly" 
generated and spammed within 72 hours of each other from the same 
IP address that sent no other spam to any other address on the 
server. One, sure. Two, big maybe. Three, very very unlikely. Four? 
Hell no.

# As for email, the only email these addresses have ever received 
were confirmations of the original filing (2 each, from the period 
of original filing) and then two promotional emails (for the tax 
service) last year and again this year. Granted, these messages 
introduce at least the potential for exploitation on my side, but 
again, JUST the tax-related address? I use over 100 email 
legitimate addresses, more than 40 of them on a given day, my other 
email addresses are plastered EVERYWHERE online. But NONE of those 
addresses were spammed by that IP, and these four, ALL tied to this 
one tax company, were? No way in hell is that a coincidence.


But more importantly, this is NOT about the spam. Sure, I'm upset - 
companies that pull that suck, but I don't really care about the 
spam. The spam is just a symptom of data being shared or exposed in 
violation of their privacy policy (we chose this company with their 
privacy policy in mind). I *do* care that the /rest/ of my data was 
likely lifted as well. I want to know if that was the case and if 
they have any hope or intent of doing anything about it.

Frankly, I don't think they care. If they did, they wouldn't put me 
in a position where I have to drag this into the media or a court 
just to get a simple answer.



Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/