• by Joe Mandese  @mp_joemandese, May 25, 2018

With thousands of companies rushing to update their consumer data privacy policies in time to comply with today’s GDPR deadline, it was inevitable that some would experience glitches. But when Ghostery, a browser extension marketer whose whole reason for being is the protection of its users’ privacy, sent an email today explaining its updated policy, it inadvertently copied an entire list of of hundreds of users’ email addresses.

Under the subject line “Happy GDPR Day -- We’ve got you covered!,” Ghostery proceeded to blow its users’ email cover.

“Dear Ghostery Users,” the email reads, going on to note: “We at Ghostery hold ourselves to a high standard when it comes to users’ privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation.”

A Ghostery spokesperson did not return Digital News Daily’s call or email asking for a comment, but the incident likely was an oversight, given Ghostery’s mission.

Update:

On Saturday, Ghostery published a blog posting explaining that the email address breach was due to bringing its list management in-house from an outside email platform:

"Recently, we decided to stop using a third-party email automation platform. In an effort to be more secure, we wanted to manage user account emails in our own system, so we could fully monitor and control data practices surrounding them. Unfortunately, due to a technical issue between us and the email sending tool we chose, the GDPR email, which was supposed to be a single email to each recipient was instead sent to a batch of users, accidentally revealing the email addresses for each batch to all recipients of a batch by adding everybody directly in the “To” field. We sincerely apologize for this incident. We are horrified and embarrassed that this happened, and are doing our best to make sure it never happens again.

"Only email addresses and the fact that you are on our mailing list were inadvertently disclosed."