The most prevalent form of email data breach is delivering personally identifiable information to the wrong recipient. In a study released by Verizon in April 2014, the findings revealed that government organizations deliver sensitive information to the wrong recipient at a far higher rate than what is occurring in the private sector.
What explains this finding? Verizon delved deeper into the factors contributing to this significant data skew and reported that, in their words, “The United States Federal Government is the largest employer in the country, and maintains a massive volume of data on both its employees and constituents, so one can expect a higher number of erroneous delivery incidents.”
It’s a sobering discovery – massive amounts of data on a massive number of people – both employees and private citizens – and substandard controls around identity verification and secure document delivery.
What exactly is personally identifiable information? It spans a wide gamut of areas. There are the obviously confidential pieces – things like social security and bank account numbers. And then there are the not-so-obvious bits and pieces that – when placed in malicious hands – create significant exposure and risk.
The most insidious threats are those comprised by melding together seemingly innocuous pieces of personal information that in isolation don’t immediately spur cause for concern. However, when strung together, these data points become the ultimate fodder for fraud and maliciousness.
So if some agency associated with the United States Federal Government erroneously delivers an email containing your personally identifiable information (PII) to someone other than you, what can be revealed – and what is the associated risk?
A document containing merely your home address is not only enough for a hacker to figure out where you live but also to infer other aspects of your personal life – things like where your children go to school, where you likely shop for groceries, and who owns your home. They can probe around your social media activity to glean not only overtly personally identifiable information (like your birth date and where you went to school) but also patterns around your comings and goings – where you work and who your friends are.
And then they mesh personally identifiable information with anecdotal information to create a profile to perpetuate fraud. While hackers can get started with a mere shred of personally identifiable information, they can quickly and easily expand their probe with just a few keystrokes with devastating consequences.
And it all starts with delivering documents containing personally identifiable information to the wrong person. At best it’s a clear-cut privacy violation. At worst, the information can be used to perpetuate fraud and even more treacherous malicious activity.
It’s clear that government agencies – the receptacles of massive amounts of personal data on a massive number of people – are obligated to protect the public. A secure document delivery system that provides a second authentication factor makes it far more challenging for information thieves to grab that critical piece of information and helps prevent disclosure when an email goes astray – this empowers government agencies to proactively and effectively address the risks associated with secure document delivery and personally identifiable information.
By Bart Schaefer, CEO of Armored Envoy
About Bart Schaefer
Bart Schaefer has more than 15 years of experience as a key architect and senior developer of email systems, having created flexible and scalable solutions with an emphasis on open standards. Prior to co-founding Armored Envoy, Schaefer started Z-Code Software, based on the ground-breaking application, Z-Mail, which won numerous awards, including PC Magazine’s Editor’s Choice Award. Schaefer is actively involved in email standards discussions with The Internet Engineering Task Force and the Anti-SPAM Research Group, and contributes regularly to open software projects such as Spam Assassin.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.