I’m creating some information security training content, and today I spent some time researching for some actual stories of email incidents to add to my already bulging email incident file. So many of the reported incidents in the news over the past couple of years involve emails; mistakenly sent to too many people; putting IDs into TO: lines instead of BCC: lines where they should have been; not encrypting data that is subsequently accessed by those who shouldn’t be seeing it; and so many other incidents resulting from end-user errors, lack of knowledge, and incorrect assumptions.
Email decisions are ultimately made by the people sending them. It is important they know and understand the impacts their email boo-boos can have…not only upon themselves, but also for their companies.
I found some great stories, some recent and some older ones that I have just stumbled upon but that are still relevant today, that would be great for any organization’s awareness and training incident story arsenal. Here are a few of them, with a few of my thoughts interspersed…
- A story from last week from Riverside, California reports "an information technology worker inadvertently sent a routine e-mail intended for the payroll department to every inbox on the city’s system. The e-mail had an attachment with the names, addresses, Social Security numbers and 401(k) account numbers of 1,974 city employees."
Of course accidents will happen. Even with awareness and training. Be sure you have an incident response plan in place when such accidents do occur.
- At the end of June Mich Kabay wrote an entertaining and good example about how the use, or non-use, of BCC: could create an e-mail incident. "The problems caused by CC are worse when the recipients do not know each other. I have often received messages from technically unsophisticated correspondents who put dozens of e-mail addresses in the CC field even though many of the recipients are total strangers to each other. Such exposure of e-mail addresses always makes me nervous; who knows whether everyone on the list is trustworthy?"
Email addresses are considered as personally identifiable information (PII) by many laws. Putting them clearly in the CC: or TO: lines can lead to major impact to your company. The FTC certainly does not look kindly upon revealing email addresses; remember the Eli Lilly incident from 2002? It is the poster child story of this type of incident. The impact of that incident is lasting 20 years and is costing the company millions of dollars. A big price to pay for an "oops"!
- There are many great examples of email incidents in a piece from PC World from 2002, "D’oh! The Most Disastrous E-Mail Mistakes." This article provides many examples of email gone wrong…accidentally sending inappropriate email to a mail group…accidentally copying everyone on the email system on a personal email…inappropriate email messages being discovered through monitoring…accidentally sending PII to others…and so many others.
I know many more email incidents occur than are reported; most companies keep these ethereal email woes to themselves if at all possible. However, even the most innocent email incident can have profound long-lasting impact.
Technorati Tags
information security
IT compliance
regulatory compliance
e-mail security
email security
policies and procedures
awareness and training
privacy