Moneysupermarket fined £80,000 for spamming seven million customers Price-comparison darling Moneysupermarket.com has been fined £80,000 for sending 7.1 million emails to customers who had opted out of receiving direct marketing emails. The UK’s data protection watchdog stepped in to compare the firm’s behaviour with the law – and found that it had attempted to circumvent rules on direct …
If they cant be trusted with a simple opt-out request, they cannot be trusted to do anything.
Maybe. But I suspect that the spamming here is down to the ignorance or wilful abuse by a few marketing droids, obsessed by their latest "campaign", seeking eyeballs and click throughs. Having worked on the edges of marketing, I think many of those involved are so shallow and ill-informed that its hardly surprising that we see mis-use of customer data. In many cases, I'd go as far as to suggest that the marketing peeps THINK that they are compliant in this situation because the data is current or previous customers, and they've not realised that although the law allows a "soft opt-in" for customers, opting out nullifies that.
The question then arises whether the stupidity of a few marketing bods is representative of the firm's approach to its core business. In most larger businesses, I think generally not (exception for Talk Talk in particular). So would I trust Moneysupermarket to do a reasonably good job of market analysis and offering me close to best value on financial products? Yes. The service isn't free, they'll be making a buck somewhere, if I put the effort in I could find a better deal myself, but overall, the misuse of customer data by marketing makes me distrust marketers (and advertisers) in general far more than it sullies the company's own brand.
Now, if they suffered a really serious compromise of customer data, that's different, as in the case of Talk Talk and others.
If people have access to data they can process (by request or action) but don't understand the rules around the processing of that data then it identifies a fundamental problem with the company's governance.
Governance is generally lead from the board of directors based on the remit of the shareholders...thus it's very very serious.
Governance is generally lead from the board of directors based on the remit of the shareholders...thus it's very very serious.
You're right, and I get that. But I'm not sure you can extend minor (for a given value of minor) crimes to be an indicator of more serious problems. The same logic would say that if there's petty expenses fraud, or staff stealing the stationery, then the whole company lacks financial governance and is at risk of serious fraud. Petty and major crime can certainly go hand in hand, but as a general rule, inflated mileage claims or stolen post it notes are not an indicator of anything seriously wrong with corporate governance. I speak from some experience, including working for a £250m company that went bust on the back of serious fraud, and working for another that got fined the fat end of £40m for wilful fraud. Both had robust, audited expenses processes...
The misuse of millions of customers' data is certainly more serious than you or I taking a single pack of "post-its" (some may differ on that, let him without sin etc), but the actual harm to the customers? Data governance is an emerging issue. There's some cowboys in every line of business, and mistakes will be made. But spamming out a load of undesired marketing email isn't in the same league as a real data governance problem that exposes customers' personal data.
Having worked on the edges of marketing, I think many of those involved are so shallow and ill-informed
This is very true - in previous ork-places I've sometimes had to be The Voice of Sanity[1] when Marketing people (ie the people who wish they could do sales but don't have the empathy required to be a good salesperson) suggest something so astoundingly stupid[2] that it's not only a bad idea, but quite possibly illegal as well..
[1] Not a role that comes naturally to me at all. I'm a cat person after all..
[2] One had heard of BlueJacking and wanted to use it to push adverts to passers-by. I had to a) explain in words of one syllable why it was such a bad idea and b) go over his head to the senior marketing person who, despite being in Marketing, was actually a very smart person indeed. She told him in no uncertain terms that, had he tried to put that idea into practice, he'd find himself in P45-land ASAP and also reported to the Police. He never really forgave me.
Which is why you generate unique email addresses at a cheap domain host, with forwarding to your "real" account.
Then when this happens, not only do you know WHO gave away your email address, but you can then just permanently blacklist any emails that arrive for it, thus saving you from all those marketing things they'd like to have from their partners.
I once had to ring up an educational computer furniture supplier, who somehow managed to get hold of the email that I'd ONLY given their rival. They basically admitted that they'd started the company from a stolen copy of the other company's database, helpfully brought in by a former member of staff.
It's more common than you think. I have several dozens websites where I *GUARANTEE* I never signed up to anything, but the email I gave for things like order notifications suddenly gets spammed by rivals or ends up on general spam lists. Therefore I have several dozen blacklisted email addresses (that still receive quite a bit of email, but it's refused with a snarky SMTP message) and companies to go with them.
E-Frag is one that springs to mind. I rented a game server from them once, about 10 years ago, and spam still comes in for that address I used, from all kinds of places.
For the cost of a £1 domain, it certainly cuts out a lot of spam. And if I wanted to, I could just not have the mailbox it delivers to be addressable directly (i.e. only accept the forwarded emails). Then I'd have basically zero spam, I think.
Which is why you generate unique email addresses at a cheap domain host, with forwarding to your "real" account.
Or - if you use a real MTA like qmail on your own server, you either make your address the catchall for the domain (or generate another account and use that) and use non-existant addresses that are specific to the organisation[1] to the left of the @ sign..
I suspect postfix will do something similar.
[1] So, to the website dodgyvendor.co.uk you give the address dodyvendor@[yourdomain]. If you then get spam to that address you'll know that someone there has either sold your address to the scum, or that DodgyVentor is living up to the name.. At which point you configure your firewall to reject any attempts to email that address.
Not quite, I've got firstname.lastname@yahoo.co.uk but my disposal addresses are six random letters, hyphen, anything e.g.:
abcdef-amazon@yahoo.co.uk
abcdef-moneysupermarket@yahoo.co.uk
all go to the main address inbox. I can then kill off any one of the disposal addresses wherever. The only requirement is that it always has to be the same prefix.
"It's more common than you think"
And Moneysupermarket aren't the only big name to be guilty of disregarding customer choices, as shown by this example from Barclaycard from a couple of weeks ago.
Note that the email (on the right) is clearly a marketing missive, while my account (bottom left) shows I've opted out of receiving such things. Just for added shits and giggles, top left is their page warning about email scams warning against emails asking for log-in details. A 'log-in' link in an email must obviously be perfectly safe, because no fraudster could conceivably do that with the link taking the victim to a fake version of the real site, could they?
How much would it take for a website that asks you whether you want to receive email communication or not to send you a receipt of what you chose? If you opted out, they could send you a one time email saying "You've opted out". Then you have a record of what you've agreed to.
Thing is, I'm almost certain I always opt out of these things, but I'm never sure as I've no receipt to confirm it or not. But I guess sending a receipt means these websites can bend the rules a bit and hope I don't remember opting out in the first place.
You need to be able give a different email address for each subscription or opt-out. Develop a system. Then you'll know not only what you have done with your addresses but also what _they_ have done with your addresses. Most likely they'll have sold them, or at least leaked them. You probably wouldn't believe how many spammers try to send mail to my public mailing list addresses. Of course those addresses only accept mail from the lists to which they're subscribed.
You also need to be able to blacklist senders in all kinds of ways, ESPECIALLY country of origin, which will cut out more than 90% of the garbage, but also AS Number, envelope sender, recipient, other headers, body content...
In the end I wrote a Sendmail milter because there was nothing that would do it all for me:
mail6:# > grep money *list
xmas-milter_envfrom_blacklist:moneysupermarket.com => 1
(Yes, it's pure Perl.:)
If you don't do all this, the criminals will be laughing all the way from the bank (having just robbed it).
In the end I wrote a Sendmail milter
AAAAAAAAARRRRRRRRRGGGGGGGGGGGHHHHHHHHHHHHH
I'd managed to forget my days of having to wrangle sendmail and you've now bought it all flooding back!
I'm going to blame tonight's two bottles of wine on you[1]. Hopefully that'll wash away memories of Friday night spent down at the sendmail.cf[2]
[1] It's a good excuse anyway. Admittedly, said bottles were already on tonight's plan and now I can blame them on you when the Senior Controller at home asks. It's a win/win[3]
[2] Bonus points if you can remember the song that that line is stolen from (apart from the sendmail bit)
[3] Except, possibly, for my braincells and liver. But the wine vendor will be happy.
Fine £80,000 - new business as a result £xxx ??? The fine should be in excess of what they gained otherwise fines will just be seen as an extra cost.
Also: 1/2 the fine should be paid by board members, personally - out of income after tax. Unless it hurts someone in authority: behaviour will not change.
I was trying to figure *what* the **** you were on about here! After Googling, it turns out that "Fisto" is a "Masters of the Universe" character, so presumably it's a reference to that series' use as part of their ad campaign.
I assume "Fisto" is one of those more obscure characters created as an excuse to sell yet another toy to 7-year-old kids and probably won't be appearing in the ad campaign?
As is Lubo ;-)
"BT have been doing this for years..."
My landline has a PSTN<->SIP gateway on it that drops incoming calls. It is for emergency use only. The IAX trunks, when rung by a non whitelisted number, respond with:
"Press 1 if you think we'd like to speak with you or 2 to leave a voicemail. If you are making an unsolicited sales call then hang up."
Haven't had a sales call in years. A full PBX is a bit over the top for most people but you can buy reasonably cheap devices that will filter incoming calls with a simple setup.
Capital One used to be one of the worst for this ( I used to work there), I don't know if they do it now, but about 15 years ago, you had to call them to activate your card, and there was no automated system. You HAD to speak to someone (me), and WE had to try and sell the utterly pointless - and worthless - Sentinel Card Protection before we'd let you use your card.
Then we'd have the 'courtesy calls' which, because it was supposedly classed as customer service, didn't count as a marketing/sales call. However, we always had to see if we could sell the infamous PPI which was the real purpose of the call.
I bet not a great deal has changed...Except the PPI bit. Pretty certain that has....
Capital One got my information and was sure I was someone else.
I finally resorted to very carefully reading the appropriate section from the law that said exactly how much they were going to get fined to a rep. And had them repeat it, state that they understood it, and so on.
It worked, after nearly 2 years of constant calls for Jennifer somebody. Now if I could take their junkmail, wrap it around a brick, and return it to their offices, they might eventually realize that I do not wish for further unsolicited contact.
Here in the US, there's a perception among rabid marketers that you can keep inventing new lists forever and customers must keep opt-ing out of them. It's not true, but that's what Oracle does. (Yes, Oracle moved into the professional spamming business a few years ago.)
I give each organisation that I deal with a unique-to-them email address to be used to contact me. I always opt out of marketing. Any organisation that ignores my request is (a) blacklisted on the mail server and (b) added to the long and growing list of companies that I will never, ever deal with again.
If everyone were to boycott the companies that spam us they would go to the wall quickly.
BTW, the most pernicious of these companies is "Visit England" which ignores all opt-out requests and uses "unsubscribe" to confirm that the email they have for you is working. They regularly close the company down and then re-incarnate under a slightly different name, with the same directors. Complaints to OFCOM have had no effect, yet.
They're as bad as the cold-calling double glazing companies.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
