Mailtumble, the service we designed for data security.

We’ve implemented a service we call Mailtumble. If you see email addresses that look like 333–3435343-assa4sd-gre3@mailtumble.com then this article is for you.

First lets start with some laws here in Australia and also what is coming.

Mandatory data breach notification

The NDB scheme requires organisations covered by the Australian Privacy Act 1988 (Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach.
This notice must include recommendations about the steps that individuals should take in response to the data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.
Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
Examples of a data breach include when:
* a device containing customers’ personal information is lost or stolen
* a database containing personal information is hacked
* personal information is mistakenly provided to the wrong person.

So lets consider, PoweredLocal collects a bucket load of data for you, thousands and thousands of email addresses, personal email addresses, personally identifiable information.

If you had an (ex)employee or if anyone even accidentally got control of the data we send to you or that is available in our portal, then you would have to send out a notification to all these customers of yours and it must set out;

  • the identity and contact details of the organisation
  • a description of the data breach
  • the kinds of information concerned and;
  • recommendations about the steps individuals should take in response to the data breach.

When does it take effect?

The NDB scheme will commence on 22 February 2018. It only applies to eligible data breaches that occur on, or after, that date. But we’re getting prepared now.


So as we see this coming, we also look at other laws, both Australian an international laws that we know influence policy shift and changes in Australia around how users may request information on who has their data and how they got it.

So we were in one of our daily stand-up meetings discussing this one day and we dreamt up this idea

What if we could have an email masking solution, where and email address can be masked individually for each of our customers. So if there was a breach, malicious or not, we could simply disable the masked address and generate a new one, that would mean any breach could be stopped dead in its track. And by having a unique one for each businesses, it means we could not only re-generate an email address for that business and not effect others, but if a breach came to light, even just a single address was discovered, we could actually work backwards to figure out where the breach was and work with the business owner to stop it in its tracks and disable all others in that database.


There are systems that work like this already for privacy. Say you buy something off eBay and you end up messaging the seller, eBay are smart enough to know that they don’t want the seller contacting you or letting your email address get into the wrong hands, so they generate a temporary forwarding address for you — eg crazym_fqs5898mdfx@members.ebay.com.au

Then when the seller replies, you get a temporary one for them. Mail Tumble is a similar system, where a masked email address gets to its intended recipients email address without it running the risk of unmasking each parties privacy.


So one visitor in our database, lets use an example of their email address being marcel@poweredlocal.com, may have many relating @mailtumble.com addresses. In the below diagram, you can see that this wifi user (visitor_id of 60) has a number of correlating @mailtumble.com email addresses. That is because this visitor, who we have a complete record for in our database, has been to many different venues. Any of the below emails would reach marcel@poweredlocal.com but if one of the venues notified us of a breach, we could disable just that one @mailtumble.com email address and the rest could continue to email that user.

We actually take it a step further & monitor all known data breaches that include the @maitumble.com domain. So as soon as there is a breach of data reported, we scan the databases for any @mailtumble.com email addresses and can instantly take action to protect that user and also inform our customers that their databases have been breached.

You can check your own email address to see if its been part of a hack or breach on sites such as BreachAlarm.


A few final thoughts.

Mailtumble also can filter for infected systems sending out email to users — so not a hack, but say your work computer that you keep your email database on has become the victim of Malware. We’ve all seen this, where we get an email from a friend or colleague, asking us to open a ZIP file or click a suspicious link. Mailtumble can also help mitigate this by scanning emails for viruses before they get out.

We can prevent spam by one system by stopping it in its tracks.

We can prevent Good email senders from being put into the same basket as the Bad ones. When these systems protect everyone, we have happier wifi users that know they are not going to be over marketed to.


You can read more about the technical aspects of mailtumble here. We also believe this solution will help everyone and we’re giving away the source code for free.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.