We would like to sincerely apologize to all our customers for an email error that occurred while notifying you about our system’s availability. Due to a human error, one of the notification emails inadvertently included the email addresses of other customers in the cc: field. The error was limited to a small subset of our users. We have investigated the issue, reviewed all our security and privacy policies and have taken measures to ensure this or any other security and privacy lapses do not happen again in the future. My contact information is at the bottom of this post and please reach out to me if you have concerns, questions or comments.

We want to reiterate that we take security and privacy extremely seriously and you can be confident that this will not happen again. Every aspect of our service is designed with security and privacy in mind. Our privacy policies have been reviewed and certified by Truste; McAfee runs tests daily to test the security of our systems; and our systems are hosted on Amazon Data centers to ensure the security and availability of your data and documents.  We welcome you to visit our Privacy and Security page at www.pixily.com/security to learn more about our security and privacy procedures.

What happened?

This morning an email notification was sent to users to inform them about an outage earlier in the day. This email was sent in multiple waves to different sets of OfficeDrop users. In one such email notification, customer emails were in the cc: list, there by revealing their email addresses to other customers.

Why did this happen?

Simply put, this was due to a human error and it should not have happened. We sincerely apologize to our customers for the mistake. We assure you that this is not the same set of processes that we use for notifications as part of our ongoing operations. This was a one-time email correspondence, for which we didn’t use our usual email notification systems (such as those that we use for our newsletters or other notifications), and it was sent to all users regardless of their notification preferences. Hence the scope for human error and will not happen again. We also wish to reiterate that no customer documents were impacted due to this email nor were any of the secure servers where we encrypt and store customer documents were affected.

What has OfficeDrop done to ensure it does not happen again?

The OfficeDrop team has investigated this issue in detail and has put together processes in place to ensure that this doesn’t happen again. Specifically, the following will be done:

1. An automated system that uses our existing proven notification mechanisms, will be implemented by July 20th. Like other systems in OfficeDrop, access will be restricted to authorized individuals. This system will eliminate human error such as the one that happened today.
2. We will review our employee training and improve our customer communication practices.
3. All Email broadcasts and customer communication will be reviewed in our monthly Security and Privacy audit meetings.

Some Parting thoughts:

I would like to thank all the customers who have offered their words of support for us. We take pride in the way we serve our customers. Please rest assured that we will continue to do everything we can to retain the high level of trust that you have placed in us.

As a token of our apology, we are offering one free Scanvelope to all customers who inadvertently had their email addresses exposed by us. We sincerely apologize and hope that we can make it up to you by impressing you with our reinforced security and privacy policies and procedures.

If you have concerns or questions, please feel free to reach out to me at prasad {@} pixily {dot} com or at 888-674-6493. I am at extension 703.

Sincerely,

Prasad Thammineni
CEO, OfficeDrop

This entry was posted on Saturday, July 11th, 2009 at 8:54 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.