E-mail, the Internet's first killer app, can injure companies and individuals when not used with care.
In its attempt to document the risks of electronic messaging and to make the case for the value of its services, Proofpoint, an e-mail security company, has assembled a list of what it considers are the "Top 10 Terrifying E-mail Blunders of 2009."
Keith Crosley, director of market development at Proofpoint, says the incidents his company has cited demonstrate the ongoing need for user training, for corporate e-mail policies, and for technology to enforce corporate policies. He says that only about a third of enterprises have deployed systems that can identify and block the unauthorized transmission of health or financial data.
The incidents that follow are, according to Proofpoint, in no particular order.
E-mail That Empties Bank Accounts: In September, the URLZone Trojan was reported to be spreading through e-mail and compromised Web sites, and emptying victims' bank accounts. It's even sophisticated enough to create forged balance reports to conceal its looting.
"No More Internet Banking For You!": That's what FBI director Robert Mueller's wife told him after the agency head clicked on a phishing message and nearly surrendered his personal information to a phishing Web site.
White House Spam: A White House effort to set the record straight about its healthcare plans in August led to the sending of unsolicited e-mail. The incident wasn't exactly a disaster. But it was it great public relations either.
Hotmail Accounts Blocked: Earlier this month, Microsoft blocked tens of thousands of Hotmail accounts that the company believed had been compromised as a result of a phishing scam. A security researcher at ScanSafe subsequently argued that exposed account credentials were gathered using a data theft trojan rather than a phishing attack.
Department Of Gaffes: Social media start-up RockYou reportedly managed to mess up its e-mail messaging three times in the past year. In January, it sent a mailing list message using the CC address field rather than BCC, exposing the e-mail addresses of everyone on the list. In November, it reportedly asked contractors for W-8/W-9 information in a message sent to a mailing list, which prompted replies containing personal information to the e-mail list rather than to the company's accounting department. And in September 2008, RockYou reportedly revealed over 200 e-mail addresses in a message it sent out.
Here's The Sensitive Data You Didn't Ask For: An employee of Rocky Mountain Bank in Wyoming inadvertently sent a message containing confidential customer information for 1,325 individual and business accounts to the wrong Gmail account. The Bank sued Google to force it to reveal information about the Gmail user who had accidentally received the information. Fortunately for all concerned, it appears that nothing was done with the exposed information.
Pay Day: Some customers of payroll processor PayChoice reportedly fell victim to a spear-phishing scheme in September when they received an e-mail message advising them to install a browser plug-in to maintain access to the company's online portal. The installed software was malware of course. PayChoice is still investigating the incident.
Tax Warning: Britain's tax authority, HM Revenue & Customs, issued a warning in January about "the most sophisticated and prolific phishing scam that we have encountered." The phishing messages asked for bank or credit card information, ostensibly so the government could provide a tax refund. Those who complied risked "their accounts being emptied and credit cards used to their limit."
Tax Warning Strikes Again: Last month, US-CERT warned about " malicious code circulating via spam e-mail messages related to the IRS." The messages contain links or attachments which attempt to install the dangerous Zeus trojan.
Congratulations! Oops, Never Mind: UC San Diego in April managed to send an acceptance e-mail to its entire pool of freshman applicants -- 46,000 students -- instead of just notifying the 18,000 students who had actually been admitted.
The point of recounting such incidents, says Crosley, is that "even today, users still need education about inbound e-mail security issues." He adds that despite the rise in social media, e-mail remains the number one threat vector. That partly, he says, because so many social media sites send out e-mail notifications. Spammers have realized this, he says, and have taken to sending out spoofed of social media notification messages.
Organizations that didn't make the list shouldn't give up: There are still two months left before the end of the year.
InformationWeek has published an in-depth report on e-discovery. Download the report here (registration required).