September 2009 Archives

It is amazing and rather disturbing that a US federal judge has recently ordered Google to lock a gmail user out his own account despite the fact that he has done nothing wrong.

It seems that a bank accidentally sent this user a file containing sensitive information. They asked the user to destroy it without reading it, but didn't receive an answer. At that point the bank sought legal action.

Again, I am left with questions and thoughts:

- How did this happen? Did someone intend to send this sensitive file via email to a different address and simply mistyped? If so, was the sender not aware of the inherent risks in sending unencrypted email?

- Does the bank have a policy regarding sending unencrypted sensitive information over the Internet using an insecure protocol like SMTP? If so, do they have any tools to enforce it?

- How did the bank discover this mistake? Did the sender realize his or her mistake and informed the compliance / security group, or was some automated detection system in place?

- What legal responsibility does the innocent email recipient have? Sure the data is sensitive, but it was freely given to him. Can't he do what he pleases with it (short of committing crime, such as theft)?

- As much as I would like to see the prevention of information leakage, I am still disturbed by the legal precedent set here. What if they send it to a corporate email system next time? Does the government have similar authority to disrupt the business of a private organization by forcing a shut down of their Internet connection?

The onus of correcting this problem should fall 100% on the bank. They should have to compensate the affected customers. They should have to compensate the email recipient for any harm they cause him. And most importantly, they should learn their lesson and prevent this type of leak from happening again.

Here's an interesting story making the rounds today about an Ohio man who used a commercial spyware program on an (ex?) girlfriend. He expected it to track her activities on her home computer, but instead ended up getting an ongoing screenshot feed from a computer in a hospital pediatric cardiac surgery department, where she works. He sent the file to her Yahoo! Mail account. She opened it and unknowingly installed the software on a work computer.

Needless to say, instead of getting juicy details on her online activities a la Joey Greco, he ended up with a feed of sensitive data, including PII and ePHI. While this was indeed an unintended result, he is still on the hook for big fines and possible jail time.

There is a lot of blame to spread around here for sure. There are also many questions (some rhetorical) that popped into my head as I read this:

- How did he convince her to run the installer and infect the PC? Obviously, he had an advantage over a random malware spreader since she knew the sender. Still, it must have required at least a small amount of social engineering skill. She didn't even know she had infected the system (or didn't think it wise to tell anyone).

- Does the hospital have a webmail policy? Do they have the tools to enforce it? Blocking access to Yahoo! Mail at the gateway would have nipped this problem in the bud, at least for the hospital.

- Did the PC in question have adequate anti-malware protection? By the looks of things, whatever they were using was insufficient.

- What else could the hospital have done to prevent the leak of ePHI in accordance with HIPAA regulations? Of course SIM comes to my mind, but SIM would need to rely on feeds from web gateways, AV servers, DLP systems, firewalls, etc.

- The hospital is actually lucky here in that the person who stole the sensitive information had no nefarious plans for it. They were shown the weakness of their defenses without having to pay for an audit and without the need to pay ransom or experience worse consequences. They should view this incident as a gift and use it to improve their security stance.

- The stalker / boyfriend was clearly in the wrong no matter how you slice things. I imagine it's just as illegal to spy on a private citizen this way as it is to do it to a hospital. To borrow from an old saying: Spyware doesn't steal information - people do.