Email Data Breach Reports

On 21th of December, I received an E-Mail with the Sender orderconfirmation@cartmailbox.info designed like an Amazon Confirmation E-Mail stating, that I ordered products with a total value of $2,600.

This E-Mail was sent to kickstarter@catchall and was not related to my Kickstarter Account. The RFC822 Header reveals an Envelope from the Domain cartmailbox.info.

I contacted Kickstarter regarding that Information was shared with Third Parties or that the Kickstarter Database is maybe compromised. I did not receive any response within 10 days.

It is obvious, that Kickstarter causes a similar situation like Indiegogo. In the case of backed projects, your information will be shared with the Crowdfunded Project. Kickstarter did not give the User the Option, that the E-Mail-Address can be adjusted before it will be sent to the Backer. That is unfortunate because especially when it comes to Startups it can be assumed, that there IT Infrastructure is not the best. Some Startups allow ask for the E-Mail Address for the Backer and allow them to give another email address than the one, that is used on Indiegogo.

The result is, that Indiegogo and Kickstarter become major sources for Pishing e-mails like this one:

It would be easy for Kickstarter to enforce to ask the user for every single project if he likes to share the users Kickstarter E-Mail-Address or provide an alternative email address. So long that is not an option, Kickstarter has to take some of the responsibility as the platform that shares information with Third Parties.

Especially when it comes to Article 33 of the GDPR Guidelines, Kickstarter brings themselves in a bad position. On the one hand, there is an obligation to report any data breach within 72 hours, on the other hand, Kickstarter can not be sure if the Data breach happened on their end or on the side of the StartUp, when user use CatchAll-Address.