A few days ago, I received an email from two people who work with Mid-Valley Voice, part of the website for the local papers:
This weekend we learned that MidValley Voice user account information was accessible for several days.
A list of usernames, passwords and email addresses was available in an obscure network known primarily to product testers working for our vendor, who partners with us to operate the MidValley Voice network.
After learning of the security problem, our partner immediately secured the account information. Further investigation leads us to believe that exposure was very limited, primarily by our registered users who may have searched for their own names in Google. We have received no word from customers that any accounts were compromised.
As a precaution, we suggest changing your MidValley Voice password and monitoring the e-mail account associated with our network for any problems.
Needless to say, this is annoying, It happens, but it’s annoying. From there, though, things went oddly south. First, the link that had been included in the email was broken. Considering this went out to all MVV subscribers, that’s rough.
Second, I went online to the MVV site and started to look around for a way to simply delete my entire account. I’d rather do that and start over – I only really have an account because one is required – than simply change my password, given the nature of the problem. I could not figure out how to delete my account. Assuming I might have just missed it, but realizing there probably wasn’t actually a way to delete my own account (and that being a rather significant failure on the part of whoever put MVV together), I emailed the two people who had signed the email that went out to MVV subscribers. My email:
[Name] or [Name],
Can you please let me know how to simply delete my entire account? Given the email that just went out about passwords, I would prefer to do that.
A few hours later I got this response:
Your account has been removed. – [Name]
That was the entirety of the response. Note that I didn’t ask to have my account deleted, exactly; I asked how I could delete my own account. This only made me suspicious there really was no way for a user to delete their own account, i.e. control their own information. Since I had two accounts on MVV that I wanted deleted, I sent a second email:
In that case, can you also remove the account associated with [email address] (as you can see, it’s also me) and, if such a way exists, let me know how users can shut down their own accounts?
Three minutes later, I got this response:
That account has been removed as well.
Helpful, sort of, but not quite what I was looking for. In fact, at this point I began to wonder if they were intentionally ignoring the question, though I also want to stop and acknowledge that the person who was responding to me was probably having one hell of a day just trying to fix things. Even so, I think, it would not have been too hard to address my question.
Bearing in mind all email correspondence after my initial email had been between myself and one of the two people I had emailed, later that evening I got this email from the second of the two:
Did [Name] get back to you on this?
He deleted the accounts I requested. He did not explain if users have the ability to delete their own accounts.
I then got the following email:
We’re not sure about that ourselves, if I understood [Name] correctly. We’ll know more from our vendor tomorrow.
This is the sort of non-definitive answer I was OK with. I had kind of figured the answer was probably “no,” and at least “we don’t know.” That’s life – I was more annoyed with the fact that the first person had just ignored the question entirely. But in any case, it was getting to be late in the evening at this point, so I just kind of put it out of my head. Sure, it’s annoying when that sort of thing happens, but it does, etc etc.
Then a friend of mine, who had asked for their account to be deleted as well, got the following email – note that I have included more of the email thread because it contains some email that went between the two people who had sent out the original email notifying users of the security breach:
I’ve removed your account.
Sent: Friday, October 30, 2009
Subject: FW: Removal of Mid-Valley Voice Account
Another one I just came across. [emphasis added]
Sent: Friday, October 30, 2009
Subject: Removal of Mid-Valley Voice Account
Can you please remove my Mid-Valley Voice account?… I will re-register at a later date, but I was not able to delete my account.
This entire situation is very frustrating.
At this point I just started laughing, because not only was I not only not the only person who had the problem of not being able to delete their own account, but the line left in the email correspondence sent to said friend of mine sounded like the two people were annoyed with the users who had requested their accounts be deleted after the company had leaked the password and other information.
This just kind of compounds the underlying problem, which is that users don’t have the ability to delete their own accounts. Add in staff who display a tone of annoyance at users, and, well, it’s just terrible customer relations that made a bad situation worse.
The funny thing about all of this, though, is that I don’t actually place much blame on the two staff in question for the problem (note that I have not mentioned their names, though they will certainly be able to recognize their own email correspondence). First, as I mentioned, they are undertrained in this area. Second, they are overworked. Third – and probably most importantly – they are under pressure from above to do things a certain way that may have led to the security breach in the first place. And fourth, I bet at least one of them was having really bad day in trying to deal with this, and probably chose to do what they could in the moment – and I appreciate the speed in which that happened.
None of this excuses the terrible customer relations, but I think it goes a long way towards explaining them. It would be better if the parent company a) actually hired people who were formally trained in this kind of web work, rather than rely on a converted reporter, and b) hired enough staff to do this right. Oh, and also c) get some decent software that allows for user control over account creation and deletion, but that’s oddly almost not worth mentioning – I don’t actually expect Lee Enterprises, the parent company, to allow their staff to do something like that.
I’ve never really liked the MVV site. It’s always struck me as too little too late in the world of social media platforms, and more designed to generate ad revenue than anything else. I do acknowledge, though – and again – that this is not necessarily the fault of any local staff, but the result of bad corporate policy. That’s what needs to change, the local staff’s crankiness notwithstanding.