Last Thursday it was reported that the Social Security numbers of the 1,250 teachers and school administrators in the Connecticut Technical High School System were mistakenly sent via e-mail to staff.
"The e-mail was sent to the system’s 17 principals…to inform them about a coming workshop. The file with the Social Security numbers was attached to the e-mail by mistake".
"At least one principal…then forwarded the e-mail to 77 staff members without opening the attachment containing the Social Security numbers."
A few important lessons here…
- Humans are the weakest link in the information security chain…train them well…often…and in many ways. Mistakes will still happen, but individuals will be more alert with good education by your organization.
- You may be tired of hearing me beat the encryption drum…but the beat goes on…if the file had been strongly encrypted, the data would have been unreadable by the recipients (at leash those without the decryption key…which you would hope would be virtually all of them), making this a non-incident. Encrypt confidential data not only in motion, but also at rest.
- Confidential data in unstructured forms is highly vulnerable to being compromised.
- Once you send an email, you might as well consider it has been sent out into the wild…depending upon the email system and features used, you typically have no control over where the email is forwarded to; in this instance at least 94 people now have the SSNs of 1,250 people…and if any of them have also forwarded the email…the possibilities are exponential.
Technorati Tags
e-mail security
email security
privacy
privacy breach
encrypt