Last week, a client of mine forwarded this email to me:
Hi [client name],
My name is Uday and I represent Timgu, the only online marketing company in the UK founded by ex-Googlers. Between us we have over 10 years experience working with Google and Google products.
I am well aware that you currently do your online marketing though debbydoo but I think you should hear me out.Let me enumerate a few points as to why I think we would make a better choice for an online marketing company.
2. Since we are small we can attention to all our clients. And since we don’t work by the hour , we are constantly thinking of ways to optimise your campaign. An example of our work can be seen here (Link)
3. Of the 280000 searches on keywords relevant to just [client company] just 5% comes from the UK * ( Source Google). We can help you tap this global demand by crafting native language ads in any European and Asian language
4. You aren’t advertising on your own name. This leaves the door open for any competitor to bid for your name and have his ad coming above yours in the search result. We can help you avoid such pitfalls and maximise your ROI on PPC
5. We do not tie you up in a long term contract. If within the first 30 days you change your mind – you give us a day’s notice. After that its just a month’s notice. This is how confident we are that we can make a difference
I will give you a call on Friday and we can discuss this further if you are interested.
Thanks & Regards
We giggled at the misspelling of ‘debbidoo’, and agreed it was cheeky but ultimately wasn’t worth wasting any energy on. Not least because my client does his own AdWords management (I’ve never seen his AdWords account).
Timgu targeted one of my partners on Wednesday, 30th March. This time, the email came direct to me, because the email address was one I’d created @debbidoo.com specifically for creating an AdWords account for the partner’s client. Timgu’s email was addressed to [partner name] at [partner company name], at an email address similar to [client company name]@debbidoo.com. The email read:
My name is Marcin and I represent Timgu Ltd. – UK’s first digital media agency founded by ex-Googlers.
We operate across Northern Europe and have offices in London and Helsinki. Thanks to our Google background and vast experience in delivering the most efficient SEM strategies for companies across all major verticals we believe we could provide a top notch service to [partner company name].
We like to think that we are unique in this field and we continue to strive for the perfect online solution for each and everyone of our costumers with dedicated, transparent and open solutions.
If it suits you I would like to give you a call tomorrow to tell you more about our approach and the services we offer.
My first reaction, again, was “cheeky gits!” Filed away under ‘annoyances’ and almost forgotten about.
Five minutes later, I realised something. That combination of details – the partner’s name and company name, with that specific email address – had never been used anywhere other than during registration of the client’s Google AdWords account.
Add this fact together with the fact that three of Timgu’s founders claim to be former employees of Google, specialising in search marketing, and alarm bells start to ring.
I replied to Timgu’s email, telling them what cheeky gits they are for trying to poach my clients, and asking them how they had obtained a combination of contact details that have only ever been used in registering an AdWords account. Some hours later, one of the founders replied, saying that they don’t generally go out of their way to target other agencies’ clients, but this will happen from time to time. Very sorry etc. But he very neatly sidestepped my question about the data.
So I replied, asking again how he had come to be in possession of data that should only be known to Google. To date, I have not received a reply.
While all this was going on, I forwarded Timgu’s original email to Google’s AdWords security team, explaining the situation and my concerns, but received no reply. So I emailed firstname.lastname@example.org, forwarding the original email but changing the subject line so that they would understand the urgency.
I received an autoreply, saying the standard “we will look into it” stuff – but since then, nothing. Not a sausage. I have since emailed email@example.com on a further two occasions, asking why they have yet to deal with what *appears to be* some sort of security breach – but still, they have not replied.
What I want to know is: if AdWords data like names, company names and email addresses have found their way into unauthorised hands, what other data might be at risk? Might my clients’ payment details be vulnerable? Come to think of it, might yours?
And if this data is in any way vulnerable, why the hell haven’t Google replied to my emails and told me how they plan to deal with the matter?
What to do next? I honestly don’t know. Perhaps the moment I hit the ‘publish’ button, I’ll receive an email from Google telling me they’re dealing with it, and how. I rather suspect, however, that I’m not going to get a reply at all.
Perhaps there has been no security breach and I’m just a paranoid old bag. Perhaps Timgu have a valid reason for being in possession of a combination of contact details that have never been used anywhere other than in an AdWords account. Who knows? It doesn’t smell right to me, though.