Almost every day the press publishes stories about the latest organisation to leak private and/or personal information. Sometimes this is due to cyber crime, and sometimes it’s due to careless acts. Surely you wouldn’t be doing anything that could put information at risk, would you?
Unfortunately there is one action that I see all too often that inadvertently leaks valuable information. Most of the time this passes without incident, however this is more by luck than judgement. There have been recent cases of organisations being fined significant sums by the Information Commissioner’s Office because of this simple error. In one recent case, the fine was in the region of £150,000!
Aside from the financial penalties, there can be significant harm caused by this simple oversight. Private information can be shared with major consequences for the individual(s) concerned.
So, what is this terrible act? I’m sure you’d never be involved in such a heinous information security breach, would you?
Unfortunately I’m guessing that you may have done this without realising it.
The act I’m referring to is that of sending an email to multiple recipients without taking care to protect the recipient list. It’s easily done. You may want to send some interesting sales information to 40 customers at once. So, you put the recipients in the To: box, type your content and hit send. Great. Unfortunately, each recipient can now see the email address of every other recipient. Frequently this reveals names and company details. It could reveal much more. I recently received an email sent by an eager potential supplier of security solutions. I felt somewhat less special when I noticed that it included a full list of other recipients. It’s reasonable to assume that these would also be IT professionals working in the field of security for their various organisations. These included government employees, large corporate organisations, etc. It’s fair to say that the sender will have had a fairly busy email box the following day, and not many of the responses would be positive.
Now imagine if the mailing list had been for people with a particular medical condition? What if some recipients knew each other? So many potential issues. No wonder that the ICO takes a dim view on such matters.
The moral of this tale, is that if you intend sending email to multiple recipients, take care to protect their information. Simply use the Bcc: field instead of To: or cc: and you will hide the recipient addresses. That simple action could save your information, your organisation and even your job. Oh, and if you are sending confidential information, check and double check the recipients before hitting send. You really don’t want it going to Dave at the local newspaper, when you actually need it to go to Dave in HR.