Readers may recall my entry of 12 August on how Flare had allowed some of the information that I'd provided to them to be used by spammers. (I had creäted an e.mail address exactly for business with Fred Flare and provided it uniquely to them.) Not long after I'd posted that entry, I contacted the BBB; Flare should have been responding to the issue of a hacked customer dB with a sense of urgency, but there was no evidence of such a sense.
On 6 September, a representative from Flare commented to the 'blog, and also sent e.mail:
Please forgive our late response to customer complaint #8703538 from Daniel Kian M cKiernan.
We are investigating whether our email service provider iContact might have been hacked.
We haven't found any evidence confirming this as of yet but are being extra thorough.
Rest assured, no credit card information has been compromised. We DO NOT save cc details for that very reason.
I will update you as I learn more. Thank you for your patience.
Now, as I implied in reply to the 'blog comment, the theory in that comment casting suspicion on UPS is a poor one. There's no particularly good reason for the spammer to spoof the name of their source (indeed, there is good reason for them not to do this), other spam from this breach spoofs other senders, and UPS (along with FedEx and DHL) has for many years routinely been spoofed by spammers.
The second theory (that in the e.mail) has some plausibility, but was, at that point, just a theory.
The promise (in the 'blog comment) of
More soon! went simply unfulfilled. Meanwhile, spam continued to be sent to the address, at least one piece using my full name.
When the BBB dead-line for communication from Flare was imminent, they sent no more than a copy of that original 'blog comment and of that theorizing e.mail. The BBB, following SOP, asked me if this resolved my complaint, and I explained why it didn't.
I don't know how the NYC BBB handles attempts at a ratings change; the San Diego BBB has been known to allow merchants to revive cases after many months (and known then to completely discard the rating if the customer does not respond). (If Fred Flare does not act on this case, it will eventually be considered sufficiently ancient as not to be used in rating.)
For my part, I guess that my next step is to file a complaint with the FTC. I don't know that a lot will come of that, though.
I'm really saddened by this whole course of events. There is no question that Fred Flare offers some cool and whimsical stuff that is difficult or impossible to get elsewhere; I think that they should be rewarded for that much even setting aside whatever desire I might have for any of that stuff, and ceteris paribus I would want such an enterprise to prosper.
But it's imperative, in these days where information once loosed flows so freely, to take responsibility for the databases that we keep of information on other people (including the
addressbooks of our e.mail handlers). Mistakes will happen, but we need to own any mistakes that we make, and to off-set their effects.
I had hoped that I'd get a reply within hours after I'd first contacted Flare. I should have been quickly told (as I was eventually told) that no credit-card information had been released. And Flare still needs to do something for those victims who, unlike me, provided addresses that are not easily discarded.