Secure Development Tip of the Week

Subscribe by Email

Your email:

Application and Cyber Security Blog:

a Security Innovation Blog covering software engineering, cybersecurity, and application risk management

Current Articles | RSS Feed RSS Feed

When is Spam Considered a Breach?

  
  
  
  

Free CoffeeAs a Marketing professional, I understand the need to promote products and services through a variety of ways. It’s part of business, and you want to help the sales organization sell as best you can.

But as someone who’s been in the IT Security industry for a while, there are limitations on what you can and cannot do. There are privacy concerns, policy challenges and a slew of other considerations to think about in how you reach (without being too intrusive) the people and organizations you want to reach to tell your story.

What’s the point? Well, a restaurant that opened recently next door to a former employer of mine just blasted out a promotional email about some recent menu additions. This includes:

  • A creamy, cold potato soup
  • Cool and refreshing fruit soups (isn’t that a smoothie Einstein?)
  • Yummy gazpacho
  • And their very own summer salad, highlighted by avocado and delicious shrimp

Sounds exquisite right? Yep, except for the fact that I was on an email list where the brilliance of the sender was revealed in not BCC’ing the recipients, but rather just dumping the addresses into the TO field. Luckily it’s my Yahoo! address that I am retiring, but the fact remains, I think my identity has been breached, along with 214 other people.

From a security standpoint, this is egregious – I mean maybe there isn’t a lot of harm one can do with getting one’s hands on 215 email addresses. But anyone who entered their business email address may be at a greater risk.

Ironically enough, there are people from MITRE Corporation and RSA on there, which is interesting, but also Thermo Fisher, Acme Packet, Sovereign Bank, Hologic, EMC, Telcolote, and Lahey Clinic, just to name a few. One could trace these names back to the organization or some social media network and dig deeper into the identities of these folks.

This speaks volumes to the issue of human behavior as it relates to security.  In fact, more and more, I think security exists BECAUSE of human behavior. If there wasn’t a lust for credit card numbers and other PII (based on commanding top dollar for that data) then the world of IT security wouldn’t be as lucrative a business.

This example of an inadvertent exposure of email addresses illustrates that human behavior really continues to stay the same as security concerns grow, especially in the “Internet Age” (bad cliché).  But it’s true, because the hacktivist acts of LulzSec and Anonymus have proven that the information that should be most secure really isn’t, so organizations aren’t doing what they need to in order to effectively secure it (not doing your job, yes, that would be considered by some to be bad behavior).

(Enter plug here) We’ll have an article coming out soon on the changes, or lack of changes in human behavior organizationally, as they relate to security.

My mistake: didn’t ask for or sign a disclaimer

At the end of the day, I probably won’t lose sleep over this breach – yes it’s a breach – but it points out that caffeine addiction really takes you off your a-game:

  • I provided my email address without asking what the restaurant’s policy was in terms of sharing my email, selling my email or what they were going to do to protect my identity. Shame on me, and don’t be like me.
  • I used an email address I don’t use much anymore – and actually it’s prompted me to retire it officially. But it might be a good idea for anyone else to do the same, or if you have used your business email address and you’ve had that email address exposed where it shouldn’t be, find out what type of encryption is being used.
  • People do anything for something free – a t-shirt, a cup of coffee, a chance to win an iPad. So think about how much that free thing is worth before you offer up your PII for it next time. I provided it for a free cup of joe that won’t compare to what I’ll be drinking in Seattle soon. Sad.
Probably much ado about nothing here, and as much as I am tempted to expose the restaurant and the sender, I might just connect with them privately to let them know that from a marketing perspective, boy that cold potato soup sounds great, but from a security standpoint, that was a huge no-no….

Comments

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

Follow Us