1) Sending sensitive data to the wrong email recipient, such as when a Dutch municipality accidentally sent 530 people's personal data to the wrong address.
2) Including all email recipients in the CC field, making everyone's email address public, such as when a Dutch municipality sent an email to 123 recipients using CC instead of BCC.
3) Storing copies of people's ID documents on an unsecured publicly accessible server, allowing third parties access to 800 people's data.
2. Sending information
to the wrong recipient
It is the biggest cause of data leaks:
sending sensitive data to the wrong
person.
01.
Example
It happened to the Dutch municipality
Assen, when an employee sent a file
containing the personal data of 530
persons to the wrong email address.
This is a major problem, because with
standard email, you as a sender don’t
receive a notification or a warning if
sensitive data is processed.
3. Prevention tip:
If the user had known before sending that the wrong email
address had been entered, this error could have been
avoided.
A check on recipients is therefore a functionality that
can limit this risk of human error.
4. Email addresses of
all recipients in CC,
Whoever puts all addresses in the CC,
makes all recipients in that group
public.
02.
Example
This happened recently to another Dutch
municipality: an email was sent with all
123 recipients in the cc.
While some aren’t aware that an email
address is sensitive data too, it is. In this
case, the email addresses should have
been kept private from everyone.
This also went wrong earlier, when the
Dutch Data Protection Authority
accidentally used the cc button, instead
of the bcc.
5. Prevention tip:
A check on recipients can prevent data from being shared
with everyone in the recipient group.
Better yet: a check for recipients in the "to", cc or bcc
field could help the sender to send the message
correctly.
6. Unsecured servers for
storing data
It is not only important to send data
securely, it should also be stored
securely.
03. Example
Recently, copies of ID documents of 800
people were accessible by third
parties, because they were stored on an
unsecured publicly accessible server.
And it is precisely this type of information
that is interesting for cyber criminals:
identity fraud is popular, which leaves
high financial consequences for the
victims.
7. Prevention tip:
By using secure servers you can prevent data from being
easily accessed and viewed.
It is important that these servers are not only secured
themselves, but that they also store the data encrypted.
8. Weak passwords
What gives access to secure data?
The credentials needed to get through security.
Creating a strong password, which is difficult
for hackers to guess, ensures that access can’t
simply be obtained.
04.
Example
In 2014, such an example hit Ebay:
hackers gained access to databases
full of sensitive data via credentials
of 3 employees.
9. Prevention tip:
We make it difficult for malicious parties by creating strong
passwords.
But that's not all: changing that password regularly is
even more effective. Therefore, make it a habit to renew
your passwords every now and then.
10. Lack of the right
encryption
The lack of proper encryption ensures that
there is direct access to the data when
intercepted.
05. Example
An audit in early 2022 found that NASA
employees sent unencrypted emails
containing sensitive data, personally
identifiable information, and International
Traffic in Arms Regulations data, exposing
NASA to a risk that could endanger national
security.
11. Prevention tip:
Encryption is one thing, but applying it properly is the
second.
Zero-knowledge end-to-end encryption is one way to
ensure that data remains protected. This applies to
malicious parties as well as to data processors.
12. What options do you have if
data has been shared with the
wrong person?
Take a look at this from within your organization