I received “one of those” letters this week. An insurance company who provided long term health care insurance for me had “inadvertently emailed a document containing information relating to your insurance relationship with us, including your name, address, date of birth, Social Security number, and salary information, to another individual at” a company I no longer work for. They went on to indicate that the recipient did the right thing: notified the insurance company plus his own management and deleted the document. They apologized profusely and indicated they “remain committed to protecting the privacy of personal information.” They also offered to provide me with two years of an identity theft protection program provided by a reputable third party.
The people I know in that receiving company’s HR department are ethical people. When they received such a document, I believe they did exactly the right thing. They are trained in ethics every year, as is everybody in that company, and the company takes business ethics very seriously and makes that fact known to everybody: employees, contractors, and partners.
But I am going to take advantage of that offer. Not because I’m concerned about identity theft, but to send a strong message to that insurance company. I already use LifeLock, check one of the free credit reports every four months, and monitor all bank accounts weekly and credit card accounts monthly. The insurance company already had to air its dirty laundry to several State governments as well as the US federal government, and potentially foreign countries. They had to determine exactly whose information was compromised. I know it was not just mine because over 50% of the current and past employees I have talked to have received the same letter. Primarily, I’m going to add the cost of those two years of protection to the money they have already paid. As I have mentioned before, the Ponemon Institute reports that the average cost to a company who had a data breach is over $200 per compromised individual.
I can’t fault the insurance company’s response. They are doing the right thing, and it is costing them real dollars and probably some lost business. But they did this one to themselves. It was a stupid mistake – no other word is appropriate. Not only did an employee do something stupid, and they will periodically do that, but the insurance company did not have the appropriate safeguards in place to prevent or at least flag this data breach before the data left its control.
Over half of the people I have talked to who received the same letter have not worked for the company for years. All of our insurance terminated the day we left the company. The insurance company has no responsibility to deal with any of us except under unusual circumstances that would require special processing. Why is our information merged into the active employee database?
It is still true that the main threat is from the outside. In the last 12 months there have been many serious data breaches, including the stealing and then posting on the Internet over six million passwords for LinkedIn users, and over 450,000 passwords for Yahoo users. Why should you care about the liberation of social media passwords? Because people tend to be lazy. If one of your employees had one of those stolen passwords, it is fairly easy for someone to figure out that the employee works for you. Odds are, your employee uses the same password or a very similar password to access your corporate information (e.g., ends with “2” instead of “3”). It is a matter of minutes for someone with that information to break into your system and cost you significant loss of money, reputation, or intellectual property.
There are enough evil criminals out there attacking your system and your information; don’t add to the danger by having poorly trained employees, badly written software that fails to check inquiries for reasonableness, or insufficient and ineffective edge protection tools. These edge protection tools monitor what is actually leaving your site over the Internet and are able to prevent or flag messages with suspicious information in them.
You probably provide annual ethics training to your employees. You should definitively provide annual security training to your employees, emphasizing their responsibility in protecting your sensitive data and the costs to your company and your customer when they violate your security policy. Your security policy should be required reading and always available to every employee and contractor, and part of every contract with a partner where any transmission of sensitive data is involved.
The last word:
Speaking of deliberate attacks, a couple of days before I received that letter, my wife received an email indicating we had added a new payer to our E-Z Financial bank account. (Yep, it had a real bank name you would recognize, but that bank had nothing to do with this so I won’t mention it and use “E-Z Financial” instead.) The payer name was clearly a name we did not recognize, and it requested we click on a link if we had not done this. My wife was suspicious for several reasons, primarily because she didn’t know we had an E-Z Financial bank account.
A quick inspection of the email seemed to say this was a real email from E-Z Financial; the link back started out as online.EZFinancial.com, which certainly looks valid. We do not have an account with them. But that was not what triggered my concern, since someone could have opened an E-Z Financial account in my name, probably not to give me money. I went to the bank’s web site and sure enough on their security alert page was an example of this email. What was wrong with the link was a period instead of a forward slash. The link was actually
Please do not try this link in your browser. I have modified it some, but probably not enough to make the scam fail.
URL, the “easy to read” address of a web site or page, can be quite long and complex, but is actually fairly simple to take apart. For example, if you go to Amazon’s web site and click on “Today’s Deals” you end up at
Scan after any leading “http://” to the first forward slash “/”. Then scan back past the previous period and then back to the beginning or next period to get the domain name. In this case the domain name is “amazon.com.” That is the web site. Everything after that first slash just means a particular page perhaps with parameters on the web site (“gp/goldbox” is a particular page on amazon.com, and “ref=cs_top_nav_gb27” is a parameter passed to that page).
On the scam link, the domain name is not “EZFinancial.com” but “is-an-account.com.” The stuff before that is called a subdomain, but is owned by “is-an-account.com,” not “EZFinancial.com.” I tend to be suspicious of strange domain names.
When you go to a web page, it is a good thing to look up in the URL window at the top of your browser and see where it really is. Some browsers, like FireFox, actually highlight the domain name for you just for this reason. If it isn’t what you think it should be, close the browser window, make sure your virus check software is up to date and do a full scan of your system.
Keep your sense of humor.