Email Attachments Gone Wrong

Data security breaches are a prominent concern, frequently making headlines as new incidents arise daily. The rate at which consumer data is compromised and acquired by unauthorized parties is disturbingly high and shows no signs of abating. Although the focus often falls on ransomware and the harmful email attachments that spread it, particularly through macros in Office documents, there's also another significant but commonly ignored risk.

The UK's Information Commissioner's Office reports that emails sent to the wrong recipient are a major cause of data breaches in organizations. Additionally, the World Economic Forum's research indicates that human mistakes contribute to 95% of cybersecurity issues worldwide.

Every email with an attachment carries the risk that the wrong file was attached and is compounded as the email is forwarded. This could happen unintentionally, such as when you choose a document with a similar name or one whose name has been changed. If this document contains personally identifiable information (PII) and it ends up with someone it wasn't meant for, legal requirements may compel you to inform both the authorities and the affected customers.

Sounds bad, but what are some real-life examples? Let's take a look.

City council's spreadsheet discloses several thousand residents' personal information

Leicester City Council mistakenly emailed a spreadsheet containing sensitive data to 27 firms during a tender process (inviting bids within a set deadline) for transportation services for individuals in care or with special needs. The initial email was dispatched on Tuesday morning, followed by a retraction email after just over a day, urging recipients to erase the email and its attachment, 'Taxi Tender Live v 3', from their systems without opening it.

Finance Department's Accidental Leak

The finance department of a government agency accidentally shared confidential information via email, including pricing scales from consulting firms. This was the second such incident within four months, highlighting human error as a significant cause of data breaches

McMorris v. Carlos Lopez & Associates, LLC

In this legal case, an employee accidentally emailed a spreadsheet containing personally identifiable information (PII) to other employees. The federal appeals court ruling in this case highlighted the importance of the nature of data exposure and whether the exposed data was misused.