West Ham’s email to away season ticket-holders confirming their ticket for Tuesday’s Football League Cup fixture at Wimbledon was CC’d to every intended recipient. The message should have been sent as a BCC.
Tony Pepper, CEO and Co-founder at Egress Software:
“‘Traditional’ solutions to prevent data breaches – such as firewalls, endpoint security, encryption and malware scanning – can’t stop someone accidentally sending an email to multiple recipients using To/Cc instead of Bcc. This is because existing solutions can’t tell the difference between intentional and unintentional user behaviour. Therefore, when an employee of West Ham United accidentally Cc’d the email to every intended recipient, there was no safety net, and indeed no way of even alerting the sender that a mistake had been made.
Organisations prioritise the malicious outsider over the accidental insider threat. Both present real risks to data security, but the insider threat has been fundamentally underestimated. Despite the difficult nature of the problem, with intelligently applied machine learning and big data analysis combined with a solid staff training, it is possible to mitigate human mistakes and enhance organisations’ cybersecurity.”
