Moniker: Issues Statement On “Unauthorized Data Release” By Moniker Employee
Moniker has just released the following statement acknowledging an “unauthorized release of customer data” by a Moniker Employee:
“”Moniker has learned that one of its employees violated company policy by distributing customer data for a single domain name registration. The employee has been placed on administrative leave while the company further reviews the matter.
“”Only one employee and one customer registration were involved. However, unauthorized data access of any kind, no matter how large or small, is an issue taken very seriously by Moniker and by its parent company, Oversee.net, and is being addressed directly.”"
This appears to be related to the story Rick Schwartz hinted about yesterday and wrote about today on his blog.
Based on the information contained in Ricks post and the above statement, I think the employee should have been named, fired and Moniker should have immediately implemented a policy that would prevent any future “unauthorized data release” by denying access to such information.
If people place their names under privacy, sometimes paying extra for the privilege, they should receive privacy.
Domains under Privacy should only be disclosure as and if required by law, such as under a UDRP or court order.
Loading ...
Mike,
The post was directed toward Anon. I know you know all the details of everything that takes place in the domain industry.
It appears that domain investors want Moniker and Oversee to fail. Essentially, they’re giving Moniker and Oversee an ultimatum to respond to the incident. Domain blogs think they have the upper hand.
This breech is not as serious as people are making it out to be. It’s actually embarassing for the domain industry to even consider the incident a major problem.
Anyone with a serious interest in the subject of Whois
privacy would do well to listen to the recent discussion of
disclosure policy at the recent ICANN meeting, the audio archive of
which is here: http://cartagena39.icann.org/node/15439 My comments
are at 1:10:38, Mike, since you seem not to have a very good
ability to figure out my opinions in this area. I don’t recall you
bothering to show up for the discussion.
Mike, after reading the DNJournal story you linked to, i got to wondering about the actual logistics at play here. When Ron said, “I would have thought that only a *very* limited number of *high level* personnel could get to this information “, it may not even be a real possibility.
this is a bit of a lengthy explanation, but bear with me: When one registers whois privacy, that keeps your info out of the public domain, but it doesn’t necessarily make the domain private in the actual administrative interface in use by the registrar. having worked at tech company, i can tell you that every member of the support department had access to client accounts, being able to login as a client with a single click. there would simply be no other way to provide support, without the ability to troubleshoot by replicating a problem from the client side. (i.e. login as the client). Generally anyone who is involved on the development team for the application, as well as systems admins, also will have this access.
so its not unreasonable to assume many (even most) employees could have this type of access. certain sensitive information is always encrypted, such as passwords and credit card #s, but you cant really encrypt the name of the domain inside your account, or you wouldn’t even know what it was.
not sure if i’m making it clear, but to elaborate, there are not going to be two separate interfaces to your account, (one for you and one for support), so for example, you’re not going to have a situation where you as the registrant are able to log in to your account and see:
domain1.com
domain2.com
domain3.com (whois on)
domain4.com
…
and have a member of the support (or any other employee) log in to an interface for the same account that shows, say,
domain1.com
domain2.com
********.com (whois on)
domain4.com
…
I hope you see my point. so like it or not, lower level employees such as any member of support are going to have access to your account and could in theory see every domain you own. (unless someone can jump in here and prove me wrong). the only real key here, imo, is to hire well.
that said, it would also seem that trying to connect any domain at random with any of thousands of registrants at a registrar would be like finding a needle in a haystack, unless the employee a) just happened to notice the particular domain while administering a client account, (pretty damn lucky) … or b) there is some sort of (searchable) database connecting every domain to its respective client account #.
just my 4 cents.
J
I don’t know everything going on in the domain industry, but I do know the set of circumstances which lead to the statement of Moniker.
I have no desire to see Moniker or Oversee fail.
I was actually the 1st and possibly the only blogger at the time of the bidding scandal to come out and applaud Oversee for disclosing the issue and also did a weeks worth of research to conclude that no other employee of Oversee was involved.
This story was driven by the registrant of the domain who was quite upset that a domain he had under privacy was divulged to a third party by an employee of the registrar.
If the registrant didn’t object to this, then it would have never gotten to the bloggers.
As far as being a Major story, I don’t know where in my story I said it was a major story. I reprinted Moniker statement and added in my opinion based on the facts as I know them.
Many of the commentators believe this is a major story and each person will have to decide that for themselves
John
I was not furnished nor did I request a copy of the employment agreement between Moniker and the employee and don’t even know if such an agreement exists.
@ J
It’s quite simple. There is an underlying principle here. The technical debate about the breadth of domain privacy is an aside to the larger question.
Lets say I own HotSluttyWhores.com in my personal domain account, registered at Godaddy… And lets say my day job is as a website designer, totally unrelated to this domain name. Today, I might design a site for Sues Retro Clothing, then tomorrow, I design a site for The Great Coffee Cafe… As a result of my daily duties as a website designer, perhaps I’ve made a website for the Church of Jesus and act as their webmaster.
Say someone at Godaddy has a grudge against my owning an adult domain. Lets say this person is their hot new tech support guy, fresh off the boat from Ireland, named Pádraig O’Dell. For whatever reason- perhaps, something contained in a whois in one of the other domains in my account- Pádraig O’Dell knows I’ve done work for Church of Jesus and being a good Irish Catholic boy, Pádraig O’Dell takes grave offense to my owning a domain name like HotSluttyWhores.com. He contacts my employer, the Church of Jesus, and notifies them that I own a domain name that might be incongruous with their beliefs, in an attempt to impugn my relationship with them, due to his own personal feelings.
The issue here is whatever compact of trust that might exist between registrant and registrar when domain privacy is employed. If internal employees are breaching this trust to satisfy personal vendettas, this is an enormously disturbing thing. It significantly undermines the credibility of that registrar, in terms of what sort of control they have over their employees and how secure our private information is, with that company. That someones employment can be jeopardized by a corporate employee using private information to satisfy a personal agenda is hugely offensive.
It’s not a ‘big deal’ to everyone, but you can bet it’s a ‘big deal’ to the person who saw their employment under attack. If we put ourselves in that persons shoes, it becomes a big deal to us, too.
Animal
I understand what you are saying.
And of course you are referring to a comment made by Ron Jackson not a statement made by myself, but since you raised the issue lets chat.
My thoughts are just because you have access to information that doesn’t mean you can access it whenever you would like or do anything you want with the information.For example an employee of the IRS might have access to view anyone’s tax return but it would be probably against the IRS rules for any employee to check out say Bill Gates tax return just because they were curious what it looked like.
Its also probably a big no-no for an IRS employee who might look at someone’s tax return to then discuss it with third parties.
Maybe Moniker doesn’t have such rules in place, in which case, maybe the employee didn’t violate any rules of Moniker, but the statement of Moniker would indicate that there are rules in place and the employee did violate the rules.
If the rules were violated then the issue becomes what punishment if any should the employee who violated the rules receive if any and what controls is the company going to put into place to make sure it doesn’t happen again.
Mike, I agree 100% with what you just said. i was just pointing out, for the sake of argument, since others seemed to have voiced concerns about the whois privacy not being private to employees of the registrar, that it most likely isn’t going to be technically feasible on the administrative end. its an issue of checks and balances, or rules and punishment as you stated.
Its also probably a big no-no for an IRS employee who might look at someone’s tax return to then discuss it with third parties.
—-
I can’t recall the exact cases, but I’m certain there have been terminations (and possibly, prosecutions) of employees and/or law enforcement officials at the Federal Level who’ve gotten into a heap of trouble by using their access to non-public records for whatever reason, including ‘curiosity’.
Mike,
Your article is tame compared to the leak. I’m sure you have worked with the companies in question.
Giving them an ultimatum to respond or leak the breech is harming the companies. Why not keep the case in-house? Should every act of wrong be put our in the public eye?
The main leak is one that seems to target the reputation of the companies who have been good to their customers. Should we throw them in the same pot as other unethical companies? No. One incident. Take care of in-house. The domain name in question is childish.
Anon,
Your scenario is on the same wavelength, but also different too. We’re talking a name and sucks.com.
The church and sex site example are different. Many times privacy is used to prevent spam. Maybe the employee was jealous of the domain owner and their job or collection. Who really knows?
I agree with the church and sex comparison. However, i disagree with that your example is equal to the incident. Sex site and a sucks website.
Both instances can get an employee terminated. Though, the sucks domain seems to be a joke. As previously mentioned, the employee may be jealous or an instigator. Domain blogs operate on the same format, as well.
J
I’m only going to say this one more time.
To the person that was effected, that is the domain holder is was a BIG DEAL.
The Domain holder was not satisfied with Moniker’s response and did not want to keep it in house.
I’m not putting Oversee in a pot of “bad companies” as you suggest.
I like and respect Jeff, Craig and many of the employees of Moniker and Oversee.
I do think their response to this incident should have come from them and quick and decisive action should have been taken.
Having said that, the situation is now known, and everyone can draw their own conclusions. Whether its a Big deal, no big deal is a decision everyone can make.
All I’ve said is its a big deal to the effected party.
Personally, I’m done with this issue and if not for responding to commentators like yourself I wouldn’t even be discussing this any more.
Personally I have a few posts already written that will be published in the next few days having nothing to do with this topic.
However if people want to continue to discuss this then we will continue to do so
Privacy is not a mandated law in every state. There are different policies. Internet privacy is still in its infancy stage in terms ofbreeches.
Medical workers have access to confidential medical records. There are many different laws. Privacy is protected under other policies, but only to an extent. Privacy is not a federal law. There is a privacy act, but states can mandate their own version of the act.
The tax comparison is different. People tend to look at files, and discuss them. The privacy issue in question is that one employee tried to take the initiative to inform another about a domain name. If the domain owner is terminated due to owning such a name, or loses a deal, then he can file a suit.
In regards to the incident, people seem to want the companies to fail. It doesn’t make sense to move assets based on one breech. If a computer company made a mistake, am I supposed to stop buying their products? No. It’s a silly incident that people are using to hold a good company hostage.
I don’t use Moniker, but I know they’re a good company. Oversee.net is a good Internet brand. This is one isolated event. Why ruin their image? Another blog gave them an ultimatum to go public or he would. It wasn’t up to him to push a company off a ledge.
Mike,
I appreciate the friendly discussion. Obviously, we are going to agree to disagree. I’ll see in you Berlin. Happy New Year!
J
Happy New Year
Overseeleaks
mmm..
I wonder if they will refund the “almost-private whois” fees for “services not rendered”
We might get another bone.
@ Domo Sapiens
Overseeleaks
mmm..
I wonder if they will refund the “almost-private whois” fees for “services not rendered”
===========
First you will have go to there special ONLINE WEBSITE and fill in the
WEB-FORM with your Full Name, Address, Telephone and Email and the
Domain Name (example: filthyrottenpervertsbendover4you.cum)
Then if accepted your refund will be posted along with the above information on
the Internet Website in Bold letters before it is Snail Mailed to your wife if
co-listed at the address listed on your almost-private whois.
Are we still allowed to talk about the fact that Moniker …
still has not made a Statement of Facts to its customers
or will this self appointed industry hack called J
get MAD again and try a shut us up with his cut N paste rants ??
“I was not furnished nor did I request a copy of the employment agreement between Moniker and the employee and don’t even know if such an agreement exists.”
Oh, okay. Then your suggestion that the emoloyee be fired was made in total ignorance of what the termination conditions might be.
John
You don’t have to see a employment contract (if one exists) to know what ethical and unethical behavior is and what grounds people could be fired on.
I have no doubt a employer can fire an employee for releasing information which is not suppose to be disclosed to third parties for releasing such information.
I’m sure that employee of Apple who left his sample of the new iphone in bar didn’t have a clause in his contract like”
Grounds for termination:
“Leaving your test iPhone in a bar where it is found by a third party and sold to a blog for dissection.”
Regarding not attending the whois privacy session at ICANN, I ddin’t attend it because I didn’t need to .
None of my 75,000 are under privacy.
So whois privacy is not my issue, I don’t use privacy and have never used privacy.
I do however respect people’s right who have chosen to do so and paid for the privilege.
Is that the real John Berryhill, or did someone replace him with a slightly retarded version with no morals?
@Bob
Does one person’s comment/s essentially or factually conclude one has no morals on his/her overall person? It’s fine to disagree with someone, and issues can be discussed without necessarily putting someone in an arguably negative light without even knowing them personally.
Of course, it’s arguably easy to say the employee should be fired, Moniker should make a public statement about this, etc. coming from the side of third parties not “intimately” involved with what happened there. If, say, one’s on the side of offering this kind of service and this kind of incident happened, how would any of you handle it despite others telling you what to do?
It’s fine we all live in times calling for transparency and accountability and even more. How many of us are just as prepared to do something similar or the same and be ready to deal with its real-world results and, especially, its unintended consequences?
And forgive my ignorance but…I thought Monte only left Oversee but not actually Moniker?
Whoops, Bobo actually. Not Bob.
Dave,
Let’s call that a Bobo type Booboo — no worries -LOL
Monte parted ways with the “Whole Enchilada” ( entire organization) when his 3 year contract was up after “The Moniker Acquisition”…. it’s sure gonna seem awkward or at least different for a while without the pioneer & king & maestro of live domain auctions not doing his thing at big domain shows/conferences….. Unless ?????????? – !!!!!!!!!!
When one makes high profile sales, they have to worry about incurring average daily fees. A handful of 6 figure sales will cover all fees.
The batch of 1491 domains are super elite, with some domains worth in the 7 figure range. Whereas, the recent 7% fee increased the amount to $55k in additional fees. The remaining 74,000+ can generate a good amount with little maintanence.
A few $60k sales will cover reg for 2 months. Parking revenue is more than enough to cover fees because there are many high revenue sites in the bunch.
There is a lot profit to be made in acquiring sites at a bargain, and then reselling them to end-users for massive gains. It would be fun to be in such a successful position – rejecting offers and to making big sales.
Ahhh…thanks, NetJohn. I guess Monte left at the right time, heh.
The last post was meant for another article.
“You don’t have to see a employment contract (if one exists) to know what ethical and unethical behavior is and what grounds people could be fired on.”
You do if you want to avoid liability for a defamation suit and/or unlawful termination suit.
Maybe you haven’t run a business in a while, but you don’t generally publicly announce that an employee has been disciplined or fired. And if you are called by a prospective new employer, you verify that the person worked there during the time stated, and that’s all you do.
The way these things shake out in the real world is that if you fire a high compensated contracted employee for something that you can’t document in black and white violated an express written policy, then you have a problem on your hands that is not going to be solved at the whim or demand of a bunch of overheated self-important blogviators.
“Is that the real John Berryhill, or did someone replace him with a slightly retarded version with no morals?”
No, its the one who owns his own statements and doesn’t hide behind a fake name on a blog.
“I do however respect people’s right who have chosen to do so and paid for the privilege.”
No, you see the remedy for a privacy violation to be another privacy violation.
If the aggrieved party wants to pursue a legal claim, that’s his right. That’s what grownups do.
Have you moved all your domains out of Moniker? Or are you continuing to fund their obvious corporate policy of personally screwing each and every privacy registrant?
“Regarding not attending the whois privacy session at ICANN, I ddin’t attend it because I didn’t need to .
None of my 75,000 are under privacy.
So whois privacy is not my issue”
Well knock me over with a feather. But if a nitwit at Moniker does a stupid thing that doesn’t involve any more than three people then, by golly, it’s suddenly everyone’s issue.
Well knock me over with a feather. But if a nitwit at Moniker does a stupid thing that doesn’t involve any more than three people then, by golly, it’s suddenly everyone’s issue.
———————
It’s everyone’s issue who has names at Moniker, yes.
If you don’t instantly understand why these sorts of goings-on harm consumer goodwill beyond the parties involved, and that these sorts of things raise concern amongst people who have names with that company, then no explanation will suffice.
@Dave Zan “If, say, one’s on the side of offering this kind of service and this kind of incident happened, how would any of you handle it despite others telling you what to do?”
Problem: Employee breaks customer privacy, undermining the entire service that his employer offers, then uses the private information to email the client’s employer in an attempt to make him look bad.
Solution: Fire the little, conniving fuck.
So, where’s the part that needs this mind-bendingly complex analysis that you’re talking about?
@John Berryhill “Well knock me over with a feather. But if a nitwit at Moniker does a stupid thing that doesn’t involve any more than three people then, by golly, it’s suddenly everyone’s issue.”
If we’re paying cold, hard cash for a privacy service that is being circumvented then it’s everyone’s issue. If someone who is an “industry leader” used that private information to stick the knife in another domainer’s back, then it’s everyone’s issue.
“used that private information to stick the knife in another domainer’s back”
Could you remind me of what it was that the victim suffered, because I’m really unclear on that.
If I received some letter from someone not in my organization, attacking the character of one of my employees, then it would tell me a whole lot more about the sender of that letter than the subject of that letter.
As many of you know, Cristin answers most calls to my office among the zillion other things she does to keep things on the rails. I count on her to screen out BS telephone calls, and she is very effective at doing that.
One day, a telephone call came in which, to Cristin, sounded like a commercial solicitation. Cristin said, “I’m sorry, we’re not interested” and ended the call.
A few minutes later, the same caller was demanding to speak with me, and identifying herself as an attorney from Beverly Hills.
Cristin put the call over to me and I answered. This lawyer then proceeded to go on a rant about how unprofessional my valued assistant is, and how insulting she was, and so on and so on, for about 45 seconds or so until I interrupted her and asked what it was she was calling about.
She said she was calling to find out if I was interested in engaging on a matter that would have probably generated substantial fees for me.
I made it very clear to her:
“Cristin has worked with me for over ten years and has earned my absolute trust. You, I’ve known for under two minutes, but I have already decided that you are not the sort of person with whom I want to work.”
So, let me see if I understand this. Some nitwit at Moniker was personally offended at a domain name that registrant X had registered, so he wrote some sort of screed to the employer of registrant X.
Here’s what’s missing from the story, IMHO. What is it that registrant X’s employer do, other than to dismiss the Moniker nitwit as a nitwit?
It’s fine if you’ll fire your employee for this exact sort of thing. No ifs, ands or buts.
For other folks like myself, especially if that employee has long established him/herself as outstandingly competent who unintentionally and unfortunately screwed up, firing him/her on the spot is not necessarily an easy decision to make. I’d factor in his/her contributions to the company, that of the client who got affected, how soon I can replace that employee, and a zillion others or even other options like Moniker subsequently did.
Of course, that’s just me and whoever feels similarly. YMMV.
I asked that question because some folks here seem pretty outraged at Moniker having seemingly retained that employee, not publicly announcing this, and not doing them soon enough. No one’s saying such outrage is unwarranted, though it usually helps to pause and ponder before doing something that might, say, create unintended consequences.
At any rate, we’ll all make choices and deal with their results. Who ultimately decides what to do despite others telling them anyway?
What is it that registrant X’s employer do, other than to dismiss the Moniker nitwit as a nitwit?
——————–
You’re probably a great guy to work for. I’m a great guy to work for.
I’d bet most folks in our social circles would be great people to work for, too.
As someone who’s spent many unfortunate days investing hard, honest work on the behalf of employers who were NOT great people to work for, I don’t think we can rely on employer benevolence as some sort of default position. You know as well as I do that plenty of employers are naturally suspicious, distrustful and even resentful towards their employees.
You’re banking on a rational, level-headed response from the employer to mitigate this situation. I think that’s a terrible assumption to make. Not all employers respond rationally to freak situations that fall from the sky and land on their lap. What this Oversee employee did to the offended party, by way of employing confidential, internal corporate documents to further a personal grudge, may have jeopardized that persons employment, period.
I don’t think the position you’re advancing- that this is a closed matter, outside the interest of Oversee customers- is reasonable. Given the recent track record of ‘scuminess’ originating from Oversee companies, first with Halvarez and now this, their customers have reasonable cause for concern as far as the corporate culture that exists behind closed doors, how Oversee is apt to handle things like this and how it all impacts our own interests with them.
Just to clarify positions, it should be noted that John Berryhill, for whom I have the utmost respect as a fellow attorney and effective litigator, has represented Oversee in legal matters for many years.
@Dave Zan “For other folks like myself, especially if that employee has long established him/herself as outstandingly competent who unintentionally and unfortunately screwed up, firing him/her on the spot is not necessarily an easy decision to make. I’d factor in his/her contributions to the company, that of the client who got affected, how soon I can replace that employee, and a zillion others or even other options like Moniker subsequently did.”
Firstly, it was not “unintentional”. It was done with the intent to inflict damage.
You’re saying you’d keep any employee who deliberately attacked a client on a personal grudge, just because he makes you money.
I didn’t say that. You did.
I likely won’t keep an employee who indeed deliberately caused a client a demonstrable form of harm, though. I might…might reconsider if the employee sincerely understood the gravity of his/her error, apologized to me and the client, and so on.
From what I read in Rick’s blog about it, though, I don’t necessarily see the employee having a personal grudge against the registrant. Maybe telling the registrant’s employer a piece of his mind without realizing the act’s implications, though none of us know for sure except the actual parties involved.
Anyway, I also get that some folks aren’t exactly keen on Moniker (and especially Oversee, I guess?) in light of their past actions. I don’t know what else can Moniker et al do other than do what they stated or maybe give a rebate or so, but that’s, again, ultimately their call.
As also mentioned before, it can happen, and it can happen with any provider. A question, then, is what to do after.
Hey Gang,
I just read over at Ricks Schwartz Blog that the person who Breached the Moniker
(who is,big secret couple months back) private security IS this Chef Patrick.
)
://www.ricksblog.com/my_weblog/2011/03/it-is-far-from-over.html#comments
Dam, i knew it was him all along,
he had just started working for moniker around the same time,
they should have fired chef patrick along time ago, i never felt
my names were safe at Moniker after that.