back to article Moneysupermarket fined £80,000 for spamming seven million customers

Price-comparison darling Moneysupermarket.com has been fined £80,000 for sending 7.1 million emails to customers who had opted out of receiving direct marketing emails. The UK’s data protection watchdog stepped in to compare the firm’s behaviour with the law – and found that it had attempted to circumvent rules on direct …

  1. Anonymous Coward
    Anonymous Coward

    You're so

    Moneysupermarket.con

  2. Anonymous Coward
    Anonymous Coward

    Personally speaking,

    shitty underhand tactics like this are enough for me to *never* use a company again.

    If they cant be trusted with a simple opt-out request, they cannot be trusted to do anything.

    1. Anonymous Coward
      Anonymous Coward

      Re: Personally speaking,

      If they cant be trusted with a simple opt-out request, they cannot be trusted to do anything.

      Maybe. But I suspect that the spamming here is down to the ignorance or wilful abuse by a few marketing droids, obsessed by their latest "campaign", seeking eyeballs and click throughs. Having worked on the edges of marketing, I think many of those involved are so shallow and ill-informed that its hardly surprising that we see mis-use of customer data. In many cases, I'd go as far as to suggest that the marketing peeps THINK that they are compliant in this situation because the data is current or previous customers, and they've not realised that although the law allows a "soft opt-in" for customers, opting out nullifies that.

      The question then arises whether the stupidity of a few marketing bods is representative of the firm's approach to its core business. In most larger businesses, I think generally not (exception for Talk Talk in particular). So would I trust Moneysupermarket to do a reasonably good job of market analysis and offering me close to best value on financial products? Yes. The service isn't free, they'll be making a buck somewhere, if I put the effort in I could find a better deal myself, but overall, the misuse of customer data by marketing makes me distrust marketers (and advertisers) in general far more than it sullies the company's own brand.

      Now, if they suffered a really serious compromise of customer data, that's different, as in the case of Talk Talk and others.

      1. Anonymous Coward
        Anonymous Coward

        Re: Personally speaking,

        If people have access to data they can process (by request or action) but don't understand the rules around the processing of that data then it identifies a fundamental problem with the company's governance.

        Governance is generally lead from the board of directors based on the remit of the shareholders...thus it's very very serious.

        1. Anonymous Coward
          Anonymous Coward

          Re: Personally speaking,

          Governance is generally lead from the board of directors based on the remit of the shareholders...thus it's very very serious.

          You're right, and I get that. But I'm not sure you can extend minor (for a given value of minor) crimes to be an indicator of more serious problems. The same logic would say that if there's petty expenses fraud, or staff stealing the stationery, then the whole company lacks financial governance and is at risk of serious fraud. Petty and major crime can certainly go hand in hand, but as a general rule, inflated mileage claims or stolen post it notes are not an indicator of anything seriously wrong with corporate governance. I speak from some experience, including working for a £250m company that went bust on the back of serious fraud, and working for another that got fined the fat end of £40m for wilful fraud. Both had robust, audited expenses processes...

          The misuse of millions of customers' data is certainly more serious than you or I taking a single pack of "post-its" (some may differ on that, let him without sin etc), but the actual harm to the customers? Data governance is an emerging issue. There's some cowboys in every line of business, and mistakes will be made. But spamming out a load of undesired marketing email isn't in the same league as a real data governance problem that exposes customers' personal data.

      2. CrazyOldCatMan Silver badge

        Re: Personally speaking,

        Having worked on the edges of marketing, I think many of those involved are so shallow and ill-informed

        This is very true - in previous ork-places I've sometimes had to be The Voice of Sanity[1] when Marketing people (ie the people who wish they could do sales but don't have the empathy required to be a good salesperson) suggest something so astoundingly stupid[2] that it's not only a bad idea, but quite possibly illegal as well..

        [1] Not a role that comes naturally to me at all. I'm a cat person after all..

        [2] One had heard of BlueJacking and wanted to use it to push adverts to passers-by. I had to a) explain in words of one syllable why it was such a bad idea and b) go over his head to the senior marketing person who, despite being in Marketing, was actually a very smart person indeed. She told him in no uncertain terms that, had he tried to put that idea into practice, he'd find himself in P45-land ASAP and also reported to the Police. He never really forgave me.

      3. Inventor of the Marmite Laser Silver badge

        Re: Personally speaking,

        Never attribute to malice that which can be perfectly well explained by stupidity

        1. Alumoi Silver badge

          Re: Personally speaking,

          Never attribute to malice that which can be perfectly well explained by marketing

    2. Lee D Silver badge

      Re: Personally speaking,

      Which is why you generate unique email addresses at a cheap domain host, with forwarding to your "real" account.

      Then when this happens, not only do you know WHO gave away your email address, but you can then just permanently blacklist any emails that arrive for it, thus saving you from all those marketing things they'd like to have from their partners.

      I once had to ring up an educational computer furniture supplier, who somehow managed to get hold of the email that I'd ONLY given their rival. They basically admitted that they'd started the company from a stolen copy of the other company's database, helpfully brought in by a former member of staff.

      It's more common than you think. I have several dozens websites where I *GUARANTEE* I never signed up to anything, but the email I gave for things like order notifications suddenly gets spammed by rivals or ends up on general spam lists. Therefore I have several dozen blacklisted email addresses (that still receive quite a bit of email, but it's refused with a snarky SMTP message) and companies to go with them.

      E-Frag is one that springs to mind. I rented a game server from them once, about 10 years ago, and spam still comes in for that address I used, from all kinds of places.

      For the cost of a £1 domain, it certainly cuts out a lot of spam. And if I wanted to, I could just not have the mailbox it delivers to be addressable directly (i.e. only accept the forwarded emails). Then I'd have basically zero spam, I think.

      1. CrazyOldCatMan Silver badge

        Re: Personally speaking,

        Which is why you generate unique email addresses at a cheap domain host, with forwarding to your "real" account.

        Or - if you use a real MTA like qmail on your own server, you either make your address the catchall for the domain (or generate another account and use that) and use non-existant addresses that are specific to the organisation[1] to the left of the @ sign..

        I suspect postfix will do something similar.

        [1] So, to the website dodgyvendor.co.uk you give the address dodyvendor@[yourdomain]. If you then get spam to that address you'll know that someone there has either sold your address to the scum, or that DodgyVentor is living up to the name.. At which point you configure your firewall to reject any attempts to email that address.

      2. Anonymous Coward
        Anonymous Coward

        Re: Personally speaking,

        I know they are a bit of a joke on here, but Yahoo allows you to create as many disposal addresses as you like based on a common prefix for free.

        1. Prst. V.Jeltz Silver badge

          Re: Personally speaking,

          Yeah I'd heard that , but it didnt seem to work.

          Ive got myname@yahoo.co.uk , but it didn't seems to want to receive anything sent to retailerX.myname@yahoo.co.uk

          (if thats what you meant)

          1. Anonymous Coward
            Anonymous Coward

            Re: Personally speaking,

            Not quite, I've got firstname.lastname@yahoo.co.uk but my disposal addresses are six random letters, hyphen, anything e.g.:

            abcdef-amazon@yahoo.co.uk

            abcdef-moneysupermarket@yahoo.co.uk

            all go to the main address inbox. I can then kill off any one of the disposal addresses wherever. The only requirement is that it always has to be the same prefix.

      3. VinceH

        Re: Personally speaking,

        "It's more common than you think"

        And Moneysupermarket aren't the only big name to be guilty of disregarding customer choices, as shown by this example from Barclaycard from a couple of weeks ago.

        Note that the email (on the right) is clearly a marketing missive, while my account (bottom left) shows I've opted out of receiving such things. Just for added shits and giggles, top left is their page warning about email scams warning against emails asking for log-in details. A 'log-in' link in an email must obviously be perfectly safe, because no fraudster could conceivably do that with the link taking the victim to a fake version of the real site, could they?

  3. wolfetone Silver badge

    How much would it take for a website that asks you whether you want to receive email communication or not to send you a receipt of what you chose? If you opted out, they could send you a one time email saying "You've opted out". Then you have a record of what you've agreed to.

    Thing is, I'm almost certain I always opt out of these things, but I'm never sure as I've no receipt to confirm it or not. But I guess sending a receipt means these websites can bend the rules a bit and hope I don't remember opting out in the first place.

    1. Robin

      "I'm almost certain I always opt out of these things, but I'm never sure as I've no receipt to confirm it or not"

      Plus the opt-out text can be misleading. "Don't not untick this if you sometimes don't fancy receiving nothing..."

    2. sitta_europea Silver badge

      How much would it take ...

      You need to be able give a different email address for each subscription or opt-out. Develop a system. Then you'll know not only what you have done with your addresses but also what _they_ have done with your addresses. Most likely they'll have sold them, or at least leaked them. You probably wouldn't believe how many spammers try to send mail to my public mailing list addresses. Of course those addresses only accept mail from the lists to which they're subscribed.

      You also need to be able to blacklist senders in all kinds of ways, ESPECIALLY country of origin, which will cut out more than 90% of the garbage, but also AS Number, envelope sender, recipient, other headers, body content...

      In the end I wrote a Sendmail milter because there was nothing that would do it all for me:

      mail6:# > grep money *list

      xmas-milter_envfrom_blacklist:moneysupermarket.com => 1

      (Yes, it's pure Perl.:)

      If you don't do all this, the criminals will be laughing all the way from the bank (having just robbed it).

      1. CrazyOldCatMan Silver badge

        Re: How much would it take ...

        In the end I wrote a Sendmail milter

        AAAAAAAAARRRRRRRRRGGGGGGGGGGGHHHHHHHHHHHHH

        I'd managed to forget my days of having to wrangle sendmail and you've now bought it all flooding back!

        I'm going to blame tonight's two bottles of wine on you[1]. Hopefully that'll wash away memories of Friday night spent down at the sendmail.cf[2]

        [1] It's a good excuse anyway. Admittedly, said bottles were already on tonight's plan and now I can blame them on you when the Senior Controller at home asks. It's a win/win[3]

        [2] Bonus points if you can remember the song that that line is stolen from (apart from the sendmail bit)

        [3] Except, possibly, for my braincells and liver. But the wine vendor will be happy.

  4. macjules

    Ahem .. GPDR

    Could have waited a bit and then really hit them for a fine.

  5. Mage Silver badge

    £80,000 for sending 7.1 million

    Too cheap. 1.1p per person

    1. alain williams Silver badge

      Re: £80,000 for sending 7.1 million

      Fine £80,000 - new business as a result £xxx ??? The fine should be in excess of what they gained otherwise fines will just be seen as an extra cost.

      Also: 1/2 the fine should be paid by board members, personally - out of income after tax. Unless it hurts someone in authority: behaviour will not change.

      1. Prst. V.Jeltz Silver badge

        Re: £80,000 for sending 7.1 million

        I dare say that board member would then mysteriously receive an £80k bonus for "going beyond the call of duty"

      2. fobobob

        Re: £80,000 for sending 7.1 million

        That's a fantastic deal!

  6. Elmer Phud

    The adverts are shite, too.

    Looking at the list of characters on Wiki we find this gem:

    "Fisto is an extra-strong warrior with an enlarged metal right hand."

    yes, well, as long as Lubo turns up as well then we'll be fine.

    1. Anonymous Coward
      Anonymous Coward

      I was trying to figure *what* the **** you were on about here! After Googling, it turns out that "Fisto" is a "Masters of the Universe" character, so presumably it's a reference to that series' use as part of their ad campaign.

      I assume "Fisto" is one of those more obscure characters created as an excuse to sell yet another toy to 7-year-old kids and probably won't be appearing in the ad campaign?

      As is Lubo ;-)

  7. Anonymous Coward
    Anonymous Coward

    Organisations can’t get around the law

    clearly, as the case demonstrates, they can, and they do, and you do fuck all about it. The fine should have hurt. As it is, it merely confirms it pays to spam, and sends a message: it's cheap, go for it!

  8. Halfmad

    Fines are always stupidly low

    7+ million people spammed.

    80K fine.

    I'm sure they'll totally learn their lesson.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fines are always stupidly low

      The fine should be at least the rate of first class stamp per email. In the US that would be 49. Using that math the fine should be 3.4 million dollars. In the UK that fine would be 4,5 millon pounds.

  9. dave 81

    So why do BT still call?

    BT have been doing this for years... "Just a service call to check you are happy with your service, say while we are checking up, would you like these extra services?" despite the TPS. Come on ICO, close these fools down.

    1. Anonymous Coward
      Childcatcher

      Re: So why do BT still call?

      "BT have been doing this for years..."

      My landline has a PSTN<->SIP gateway on it that drops incoming calls. It is for emergency use only. The IAX trunks, when rung by a non whitelisted number, respond with:

      "Press 1 if you think we'd like to speak with you or 2 to leave a voicemail. If you are making an unsolicited sales call then hang up."

      Haven't had a sales call in years. A full PBX is a bit over the top for most people but you can buy reasonably cheap devices that will filter incoming calls with a simple setup.

  10. zaax

    Which means they are storing your details. If they had just deleted them as soon as you not ticked the box they would not have this problem

  11. andy 103
    Meh

    If you'd like to opt-out of this...

    ...untick the ticked tick box to not not receive emails that you will not recieve if you don't untick the ticked tick box that's currently unticked but will be ticked if you don't untick it.

    1. Anonymous Coward
      Anonymous Coward

      Re: If you'd like to opt-out of this...

      ...untick the ticked tick box to not not receive emails that you will not recieve if you don't untick the ticked tick box that's currently unticked but will be ticked if you don't untick it.

      Tick off.

  12. Kaltern

    Capital One used to be one of the worst for this ( I used to work there), I don't know if they do it now, but about 15 years ago, you had to call them to activate your card, and there was no automated system. You HAD to speak to someone (me), and WE had to try and sell the utterly pointless - and worthless - Sentinel Card Protection before we'd let you use your card.

    Then we'd have the 'courtesy calls' which, because it was supposedly classed as customer service, didn't count as a marketing/sales call. However, we always had to see if we could sell the infamous PPI which was the real purpose of the call.

    I bet not a great deal has changed...Except the PPI bit. Pretty certain that has....

    1. quxinot

      Capital One got my information and was sure I was someone else.

      I finally resorted to very carefully reading the appropriate section from the law that said exactly how much they were going to get fined to a rep. And had them repeat it, state that they understood it, and so on.

      It worked, after nearly 2 years of constant calls for Jennifer somebody. Now if I could take their junkmail, wrap it around a brick, and return it to their offices, they might eventually realize that I do not wish for further unsolicited contact.

  13. Arachnoid

    Too cheap. 1.1p per person

    Cheaper and quicker that Royal Mail 1st class

  14. Kevin McMurtrie Silver badge

    Perceived US loophole

    Here in the US, there's a perception among rabid marketers that you can keep inventing new lists forever and customers must keep opt-ing out of them. It's not true, but that's what Oracle does. (Yes, Oracle moved into the professional spamming business a few years ago.)

  15. MaldwynP

    If only there was a single comparison web site that I could go to that told me which comparison website sent the most spam.

  16. Lotaresco

    I have a simple solution to this.

    I give each organisation that I deal with a unique-to-them email address to be used to contact me. I always opt out of marketing. Any organisation that ignores my request is (a) blacklisted on the mail server and (b) added to the long and growing list of companies that I will never, ever deal with again.

    If everyone were to boycott the companies that spam us they would go to the wall quickly.

    BTW, the most pernicious of these companies is "Visit England" which ignores all opt-out requests and uses "unsubscribe" to confirm that the email they have for you is working. They regularly close the company down and then re-incarnate under a slightly different name, with the same directors. Complaints to OFCOM have had no effect, yet.

    They're as bad as the cold-calling double glazing companies.

  17. Lotaresco

    "the law allows a "soft opt-in" for customers"

    And there's your problem right there. Corrupt politicians who imagine that marketing companies are more important than the electorate.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like