Does your organization ever re-use email addresses whenever someone leaves the company? Do you know that some of your customers‚Äô and personnel’s email service providers re-use email addresses when their subscribers leave? Probably more than you realize.
A friend of mine recently told me about receiving some very interesting messages containing a large amount of confidential information to a new email account he had created. He created a fairly nondescript email address, let’s say it was something like C.SMITH@PopularISP.com. He started receiving email to his new address from an ecommerce business. The messages were basically purchase invoice statements and included a woman’s full name, full address, phone number, credit card number, account number, and purchase history. He called the woman to let her know this sensitive information was being sent to him. She said the she HAD used that email address, but that she had cancelled it a few months earlier. Apparently she did not notify the businesses with whom she communicated with, or purchased products, through that address. It was a good thing my friend, who also happens to be a CISO, is a good guy and not some crook that would have used the information fraudulently.
This incident points provides several lessons for information assurance professionals, just a few of which include:
· Do not send clear text confidential and personally identifiable information (PII) in email messages, particularly to mail domains outside your organization. It is very possible it could be received by someone else who is now using the email address that used to be used by someone else.
· Do not rely upon email communications to send important information or updates to your customers; they may no longer be using that address, and in fact someone else may be using it. Yes, it is ultimately their responsibility to let you know when their email changes, but most people use so many different email addresses that chances are many customers will not notify your organization when they stop using one of them.
· Periodically validate your customer email addresses; make sure your customers are still actually using them. For example, put a notice in their postal mailed statements telling them what you have on file for their email address and ask them to contact your organization if a different email should be used.
¬∑ Do not rely upon email as your primary means of breach notification; some, or even many, of your customers may no longer be using the email address you have on file for them. Even if some state breach notica laws allow email notices as the primary means of notification it is a bad idea. I’ve blogged about this several times, such as here
¬∑ Do not re-use individual employee email addresses within your own organization, particularly if your customers or other outside folks communicated regularly with a specific person. Doing this could also result in many internal messages being sent to new people with some former employee’s email address, potentially getting information that they really should not be seeing. I’ve seen this happen several times…to the chagrin of those involved!
Tags: awareness and training, data leakage, data loss, e-mail, email, Information Security, IT compliance, policies and procedures, privacy, privacy breach, regulatory compliance, risk management