Lax Data Security at NAGR

By John Richardson and Paul Lathrop

 

On Friday evening we were contacted by Jeff Hulsey, a retired gunsmith from the Gulf Coast region of Texas. Jeff had a problem. Starting back in August of 2013 He began receiving emails at his personal email inbox, which is through the popular Gmail domain, that it did not appear were intended for him.

The emails were from the National Association for Gun Rights, a Colorado based 501c4 organization with the stated purpose of “Educating gun owners and gun rights’ supporters in gun rights issues both at the local and federal level”.

Jeff provided an email that he had redacted the identifying information from. The information, such as email address of the sender and the sender’s telephone number as well as any other information of a personal nature provided in the body of the email seemed to be forwarded from inside the organization. At the top of the email sent to us was a one word sentence. “Rebuttal?”

sample3-NAGR

To Jeff, this looked like a simple mistake. It looked like someone had the wrong email address and was forwarding him email incorrectly. He tried to contact NAGR and got no response. He has since received about one email a month from them following the same pattern.

What concerns Jeff is the fact that even though he is trying to point out the fairly obvious error that they are making that they are leaking personal information to an unknown source. We asked Jeff if these emails were truly unsolicited. He replied, “Absolutely unsolicited. The only dealings I’ve ever had with the NAGR were to score a couple of stickers for the side of my toolbox. I’m not even a member.”

When asked if the rest of the emails looked like the email he provided to us he stated, “Yes. It’s random questions from people who visited their “Contact Us” page, then forwarded by someone within their organization for follow-up or review. Some of them contain some very specific personal information, like the USPS worker who details which facility he works at in pursuit of an answer to a legal question.”

The privacy policy listed on website for NAGR states in part that “We have put in place appropriate physical, electronic, and managerial procedures to safeguard and help prevent unauthorized access, maintain data security, and correctly use the information we collect online.”

Jeff has tried to get NAGR to correct this situation with no results. He’s gone to his local Better Business Bureau hoping that they could get NAGR to fix this situation with similar results. Out of his frustration over the situation, he is going public with it in the hopes that Dudley Brown and NAGR can get their act together. More importantly, he says that “NAGR needs to come clean on this and admit to fumbling private data, and openly implement measures to prevent it from happening again. Scrubbing my email from their lists isn’t good enough. They need to go through every email they’ve been forwarding mail to, every list they maintain, and make sure each email on that list belongs there.”

We agree.

The National Association for Gun Rights wants to be considered a major player on the gun rights front. At least that is what you are led to believe from the daily emails that they are sending out to what must be millions on their email lists. Of course, for those of us who know better, it is just spam.

An outgrowth of Dudley Brown’s Rocky Mountain Gun Owners, they have started to try and insert themselves into the gun politics of states other than Colorado. This is often in opposition to groups like the NRA and state-level gun rights organizations.

Privacy and data security is a serious issue and needs to be taken seriously. If NAGR wants to be taken seriously, they need to do something about this issue and sooner than later.

We attempted to get in touch with NAGR both through their website and through a Facebook message. As of the time we went public with this story we had only gotten return messages from the Facebook message. About 4 hours after we sent the message we received a link from them pointing to their privacy policy. No other commentary was provided. A return message was sent stating that it was they themselves that were violating their policy. We received a one word reply. “Huh?”

 

Screenshot_2014-04-19-18-38-49

11 thoughts on “Lax Data Security at NAGR

  1. I’ll have to check the archives but I’m sure similar email was received by my Gmail e address as well… This beyond the tons of spam received on the daily. And, similarly I’ve had no dealings with NAGR, and often wonder who sent my email address to these spamming fools… I’m a member of a few gunrights orgs, but would not even consider having my name put in with Dudley and crew. I figured maybe a site I’ve purchased gun accessories sold/”lent” my info, and am not too worried about the spam, but this is scary that such a blunder with personal info isn’t responded to… keep up the good fight lady’s and gentlemen, much respect. .. TNJR

  2. This is what I was worried about – that the very real possibility existed that the NAGR had also been forwarding this information to others, not just myself. I would never abuse someone’s personal information that just fell into my hands like that, but I cannot guarantee the behavior of everyone else that may have received these emails.

    Marc, I strongly suspect, also has no reason or intention to ever abuse this information. But what about all of the people who aren’t coming forward to say, “Me, too” and yet received this information? We cannot guarantee their good behavior.

    That’s why the NAGR (and any other company or organization) must guard any and all private information passe to them. And yet, see what we have here. :/

  3. Pingback: Security Problems at NAGR? | Shall Not Be Questioned

  4. Most email clients will auto-complete email addresses. If someone mistyped the email address once, it may come up before the correct one in the list so it is used. People who aren’t adept at technology don’t understand this and may not know they need to delete the offending email from the quick pick list.

    I have extensive experience with this. Sometimes getting people to understand what they are doing wrong is impossible. In fact, I just got another email this morning meant for someone else who shares my name. Sometimes I reply to correct them, others I just delete.

  5. It sounds to me like their “Contact us” webpage generates an email — something that isn’t necessarily insecure but is not adequate for protecting personal information — and a human is then forwarding those emails to an incorrect address. I would guess that perhaps the public NAGR mailing (spam? I don’t recall signing up for it, but I get their mailings occasionally) list is being used as a Reply-to or From address on the message generated by the contact-us page. Thus, the human reading the contact-us page emails hits reply or reply-all and one of the addresses replied to is the public mailing list.

    A persistent typo as suggested above is also possible.

    I don’t recall getting any emails that looked like the one described here, but I will look and follow up if I see any.

  6. Pingback: Is your data safe with the National Association For Gun Rights? | Gun Free Zone

  7. Pingback: Mistakes that Compromise Your Data Security | Zahal IDF Blog News

Comments are closed.