Even if you have never sent a mail to the wrong person, you may spare a thought for s former Swiss bank worker from giant UBS. The unnamed person sent an e-mail to about one hundred people, detailing prices and other information in relation to an upcoming General Motors (GM) share issue.
The upshot of the information having been released before the share issue was that GM withdrew the business from UBS as it felt that if the issue went ahead with UBS as the underwriter investors buying stock could seek refunds or damages.
The share issue was worth in the region of €9.5 billon and UBS is understood to have lost around €7.34 million in fees as a direct result.
Now, some six years ago, I was working for an IT security and services company and we were doing a lot of demonstrations of a device control application. It was pretty good and allowed companies to lock down certain devices, access ports and even to track sensitive information being written or copied across removable media and the like. To be honest, it was a bit of hard sell at the time because people did not necessarily see the need for such tight controls.
A few years later, such capabilities were being built into even fairly basic information security tools as there had been many high profile cases of people using simple things such as USB sticks or iPods to simply walk out of companies with crown jewels, as it were.
Today, it seems there is no excuse whatsoever for an “inadvertent” e-mailing. With information lifecycle management and secure e-mail all being common, how someone could be in a position to send such a sensitive document to a hundred unauthorised people is nigh on incomprehensible.
First of all, if the person in question was using some sort of insecure e-mail, such as Gmail, how were they able to get what should have been a secure document to an insecure access point that would allow them to then use an insecure e-mail service? And if it was sent using a secure e-mail service, such as a corporate account, why were content filters not able to pick up the fact that this was sensitive information being sent out of the company?
The likelihood is that this was not malicious, and there is no hint of such in the reporting, but rather a true case of a mistake, but surely the systems in place should be able to detect and prevent against such things?
In these troubled times where organisations can teeter on the edge of survival, a data breach of this nature can be the final straw. Now, I would not even suggest that this is the case with UBS, but there are few organisations that could boast of the kind of foundations of this institution and so this kind of situation must be taken very seriously.
Even the most senior people, who appear to require unfettered access to the most sensitive company data, can have a lapse in concentration or judgment. Therefore, companies must be protected against these lapses, intentional or otherwise. A genuine mistake is no defence when the consequences can be so costly.




Subscribers 0
Fans 0
Followers 0
Followers