Incident i20140814.1

Incident Number: i20140814.1
Status: execution
Incident Manager: BenediktHeintel
Date of incident opened: 2014-08-14
Date of incident closed: 201Y-MM-DD
Incident title: Attempted privacy data breach

History Log

201Y-08-14: Incident i20140814.1 created
2014-08-14: Full names in private part

1. Incident Response Team

internal Auditor

2. Incident Description

Post (Answer to a web form request) on a public mailing list (cacert-support@lists.cacert.org) of a support member:

Hello [requester name],

> Email: [requester email]

I did not find a CAcert account related to this email address. If the
problem cannot be solved, please write to support@cacert.org and tell me
your main email address of your account.

The support member looked up the requester’s e-Mail address.

3. Containment Actions

No action was done to contain the incident, there is no available data to look up.

4. Root Causes

The Requester did not ask the supporter to look up the email account data, nor an arbitrator did, nor a precedence case gives him the right to do so. The supporter violates § 8 in conjunction with § 9 Privacy Policy.

5. Permanent Corrective Actions

Dispute a20140712.1 was requested:

Dear Arbitrators,

As CAcert's internal Auditor, I would like to open a dispute against supporter [supporter's name].

Reasons:
Audit got aware of a attempted data privacy breach and abuse of supporter power by named supporter, documented in i20140814.1 [1]. Audit has not the tools and power to prosecute an individual based on his/her misbehaviour. Therefore, I'd would like to ask arbitration to take over the case and handle the individual prosecution against named supporter.

The Supporter violated § 8 in conjunction with § 9 Privacy Policy [2] by attempting to look up the data related to an email address posted to the public mailing list (cacert-support@lists.cacert.org) with a support question. Based on his statement, the attempt was not successful, since the address does not exist in our database.

This case might be related to [4].

Best Regards
Benedikt

[1] https://wiki.cacert.org/Audit/Incidents/i20140814.1
[2] http://www.cacert.org/policy/PrivacyPolicy.html
[3] https://wiki.cacert.org/Arbitrations/a20140624.1
[4] https://wiki.cacert.org/Audit/Incidents/i20140625.1

6. Verify Corrective Actions

Case still pending

7. Preventive Actions

The Auditor already proposed preventive actions the a similar case i20140625.1 to be implemented.

8. Approval & Closure

Approved	2015-08-11 m20150803.3
Date closed

Audit/Incidents/i20140814.1 (last edited 2015-08-12 21:40:33 by BenediktHeintel)