In late 2015, 15 million T-Mobile customers learned that they had been victims of a two-year security breach at Experian. Since then, the 150-million victim Equifax breach has made the Experian breach look kind of puny, but at the time it became public it was a Big [expletive] Deal.
Of course, a class-action lawsuit was filed against Experian shortly after the breach became public. In late 2018, a settlement was announced. The court gave final approval to the settlement in May 2019, and the administrators have recently begun notifying class members by email about how to claim the two years of free credit monitoring and identity theft insurance provided for in the settlement.
Unfortunately, most of the victims will never see those emails because of gross incompetence and malfeasance by the people sending them.
The emails are being sent with this From line:
From: "In re Experian Data Breach Litigation Settlement Administrator" <firstname.lastname@example.org>
The domain “classact.com” shown in the From line is protected by this DMARC policy:
$ host -t txt _dmarc.classact.com _dmarc.classact.com descriptive text "v=DMARC1; pct=100; p=reject; sp=reject; adkim=r; aspf=r"
DMARC is an email authentication policy protocol. It tells servers that receive email from a domain what to do if they’re unable to verify from the headers that the email actually comes from that domain. The policy shown above says to reject (“
p=reject“) all (“
pct=100“) messages that can’t be verified.
Unfortunately, that includes the email messages from the settlement administrators, because the domain in the from line (“classact.com”) doesn’t match the domain of the servers sending the message (“bluehornet.com”).
As of 2017, 76% of email accounts in the world were on servers that enforce DMARC (ref). That number is even higher now. That means that the vast majority of victims who were sent this email are never going to see it, because their servers are going to reject it.
The incompetence displayed here is truly staggering.
I will be sending email to the settlement administrators (Robinson Calcagnie, Inc. and Ahdoot & Wolfson, PC) asking them to address this, but they will probably ignore me. After all, why should they care? They get their money whether or not the victims receive what they were promised. The only people who come out ahead in class-action lawsuits are the lawyers.
UPDATE: When I attempted to email the settlement administrators about this problem, my email bounced from two of the people on the list, because the list (email@example.com) is hosted on outlook.com, which regularly modifies email messages when forwarding them and breaks DKIM signatures (ref), despite the fact that the people at Microsoft who run outlook.com have known about this problem for years.