You are here

Data Breaches Via Email

In H1 2018, email services were used for almost one in every 10 registered confidential data leaks. Most incidents were of unintentional nature and thus could have been prevented by properly configured DLP systems. This is a digest of data leaks via email, prepared by InfoWatch Analytical Center.

When it comes to email, confidential data are very often compromised by careless or negligent employees. Thus, Chicago Public Schools apologized for its employee who sent a mass email and accidentally attached a spreadsheet with the private data of over 3,700 students and their families, including names, home and cellphone numbers, email addresses and IDs.

The Commonwealth Bank of Australia admitted that throughout 2016 and 2017, their staff mistakenly sent 651 internal emails, containing personal data of 10,000+ customers, to a wrong email address. Apparently, the staff failed to include “.au” at the end of the domain name. Instead of sending the emails to cba.com.au, they sent them to cba.com. Ironically, cba.com was, at the time, owned by a United States cybersecurity company. In order to solve this matter once and for all, the Commonwealth Bank of Australia bought the domain the emails were mistakenly sent to.

Business Email Compromise (BEC) scams have become a real curse for companies. Attackers usually email their target a hyper link that, once opened, activates a malware giving the criminal control over the victim’s account. One of the most recent notorious BEC attacks hit HealthEquity, a U.S. company acting as a custodian of health savings accounts. HealthEquity’s information security team identified unauthorized logins to two company employees’ email accounts. The attack might have compromised information of 190,000 customers.

In addition, hackers break into email accounts to gain a direct access to trade secrets and know how. Thus, in February, Iranian hackers attacked four Singapore universities, affecting at least 52 staff accounts, and then used these credentials to gain access to the universities' online libraries and research articles published by the academic staff.

Another incident happened in Canada where Recycle Coach, a company that developed My Waste app used for garbage reminders and recycling information, notified all users about the breach, in which approximately 55,000 email addresses were stolen from Recycle Coach’s MailChimp account.