In an age in which breach disclosures are an everyday norm and governments are trying to protect their citizens’ privacy with regulatory measures like GDPR, it is important not to ignore the risks associated with email leakage.

Too often, organizations establish best practices around data protection on servers and workstations only to violate those practices with poor email behavior.

Let’s look at three real-life scenarios based upon my own experiences over the past couple of years.

Example One – Negligent Distribution

In one recent example, an email address of mine was accidentally copied on a message asking for assistance with a market campaign.  This message implicated a lot of really large brands that you would instantly recognize. Interestingly, the email contained a data dump of all customers for a given product to include their email address, phone number, address, and other information.  Given that this data dump also included folks who are geographically under GDPR, it is highly likely that this customer PII was protected for most use cases, but was so easily extracted and emailed with no regard for the security policy and protection standards that should be applied.  Nor did the organization work to extract only the relevant data for sharing (in this case the email address was all that was needed) and instead resorted to sharing the entirety of the order database and an aggregate of information that most users would find to be a violation of their privacy.  Also, one of the third party recipients of this data was a company in China.

Recommendations:

• If your policies prescribe the protection of PII, don’t violate those policies via email.  Even without an inadvertent addressee on the email it hardly meets diligence standards to send sensitive PII via unsecure messaging.
• In the very least, only distribute the fields necessary for the task at hand and not the entirety of a customer’s PII.

Example Two – Lazy Loops

In the second example, a web development shop created a new e-commerce capability for a large retailer.  To monitor progress and performance of the new system, they hard-coded that every order placed should generate an email with the order details for the developer to review.  As you can probably guess, they had a typo in their coding and I ended up receiving all of their customer orders instead which created a near denial-of-service type situation for my inbox that was quickly fixed with a custom Gmail filter.

More importantly, because of the lazy feedback loop (via email) combined with the typo, customer PII was sent to a third party that included name, address, email, phone number, item ordered and last four digits of their credit card number.

Recommendations:

• Don’t use email as a feedback loop for sensitive customer information that would otherwise be securely stored on the server.
• If email use is required, validate it is working properly before implementing a live version that will process real customer data.

Example Three – Fat Finger Follies

Several years ago when working with a partner, I noticed that I kept mistyping one word in their name.  Instead of “angel” I kept mistyping “angle” and given that each are legitimate dictionary words, the typo was not detected by any spellchecking software.

On a whim, I wondered if the “angle” version of their domain name was available (it was) and with their permission I registered it to see what sort of traffic the typosquatting domain would receive and incorporated it into a cybersecurity training session for the company.

It turns out a lot of people were making the same mistake as me and once live, the domain started receiving:

• Sensitive business correspondence.
• Sensitive employee communications from third parties like healthcare and mortgage companies.
• Great intelligence in the form of the private email addresses for some very interesting tech luminaries including folks like:
  • Reid Hoffman
  • Mark Zuckerberg and Priscilla Chan
  • Marc Benioff
  • Jack Dorsey

It turns out that even internal employees made the same mistake and some internal messages squirted outside the organization to the domain-owner.  Luckily the the domain-owner in this case was a trusted third-party, but it could have easily been registered by a malicious actor and used for criminal intent.

Recommendations:

• Typosquatting is a known issue in the corporate world, but organizations should also look for dictionary word variations that are easy mistakes.
• Register any relevant domains and either alias or bounce incoming email messages to the mistaken domain.

Conclusion

Most organizations regards email as a well-managed component of their IT infrastructure, but common mistakes, laziness, and poor security practices can result in significant privacy violations.  In two of these examples, a third-party isn’t trying to collect sensitive information – it is just arriving in the inbox.

Employers should make sure that training and awareness programs highlight what content can be distributed via email and how such content will be protected in transit and by the recipient.  If sharing content via email, minimize the fields shared to only essential elements and utilize encryption to protect the data in transit.

While we often think about security in terms of increasing complexity, it is sometimes the simple stuff that catches us by surprise, so don’t exclude the risks associated with poor email practices in your risk management reviews.