A large Australian bank exposed 60,000 of its customers’ account details after it unintentionally sent an email to the wrong recipient.
According to a report late last year, the issue started with a CC that wasn’t supposed to be there, causing a recipient outside the bank to get a copy of an email they weren’t supposed to see.
CC, of course, is short for the anachronistic term carbon copy, from the days when a carbon-impregnated film was slipped between two sheets of paper that were then typed at the same time.
The problem with CC in modern email is that everyone on the list gets a copy of everyone else’s email address, which is often not a good idea, especially if it’s a routine message to lots of different customers who aren’t supposed to learn everyone else’s identity.
National Australia Bank (NAB), which was one of the targets of sophisticated Android Malware in March 2016, disclosed the data leak in December.
It appears a former NAB employee sent confirmation emails to 60,000 new customers. All of the new account holders were migrants who had created accounts with NAB’s migrant banking team.
The confirmation emails provided them with their Bank State Branch (BSB) number, account number, and NAB number. They also contained several pieces of personal information including the customer's name, address, and email address.
On each email they sent out, the employee CC’ed NAB so that the bank could retain a copy. Or so they thought. They CC’ed nab.com instead of nab.com.au, a domain which the bank owns.
The mail server for nab.com is listed as Google, presumably because the domain is signed up to Gmail, but Google won’t help track down recipients in cases like this without a court order.
NAB’s executive general manager for international branches Peter Coad was quick to own up to the bank’s mistake. As quoted by the Australian National Review (ANR)
"We also take full responsibility and we sincerely apologise to our customers for this mistake. The error was caused by human error and identified following our own internal checks and as soon as we realised what had happened we took action.”
By digging into the data leak, NAB learned that Google hosts the server where the employee sent the email. The bank contacted Google and asked for its help in tracking down the data. The tech giant refused to do anything without a court order, so NAB filed a motion against Google.
Indeed, NAB is now working directly with David Weissenberg of Real Assets Limited–the owner of nab.com. Coad feels this strategy will help the bank get to the bottom of what happened to the data. As he told ANR in an updated report published:
"We understand that the email address to which the correspondence was incorrectly sent is not actively used and our customers’ emails have not been wrongfully used. Although this has been a complex process involving multiple international jurisdictions, all parties – including the email account owner – are taking this extremely seriously and NAB is working hard to resolve this matter.”
The result therefore seems to be that:
- The email was accepted by Google’s mail service, so in a formal sense it was delivered.
- The email didn’t reach any known user, so in an informal sense, it wasn’t received.
In short, it’s highly likely that no harm was done, because the email and its personal data will never be seen again, but it’s impossible to be sure.
What to do?
Sending emails to the wrong person is surprisingly easy to do by mistake: if a close-but-not-correct username or domain name doesn’t trip you up.
Here are some tips to reduce the risk in your organisation:
- Use an automatic file encryption system to keep internal files safe from outside eyes, even if they are copied or emailed out.
- Use an outbound email filter to block emails to commonly mistyped domains.
- Create a culture that discourages sharing database dumps by email.
Organizations should use NAB’s example to try to reduce the risk of one of their employees sending an email to the wrong recipient. They can do so by encrypting emails that won’t automatically decrypt if they’re sent by email and by using an outbound email filter.
No comments:
Post a Comment