(With apologies to Mick Jagger/Rolling Stones – NYC, Madison Square Garden, 1969).
I was going to title this particular article, “If I can breach it there…, I can breach it… anywhere…”
Followed by “…with apologies to ‘New York, New York’…”.
This data incident is not a breach (at least from the perspective of the originating organization).
It is an incident of human error:
A New York Yankees employee accidentally exposed the personal data of approximately 17,000 fans. Credit card info is not thought to have been exposed, but – you can imagine the drill: How are you going to know you’re safe, short of one of two things? Either you cancel a card, or you cross your fingers and hope unauthorized charges don’t show up. For at least a few weeks’ time your peace of mind is significantly impacted.
This much is known for sure: Included in the spilled information are names, addresses, phone numbers, and e-mail accounts. When considering the Yankees, not all errors occur on the field: This data spill comprises about half of all season ticket holders. It is, simply, unfortunate.
It’s interesting to note that as of yesterday, the 28th, not all season ticket holders (approximately twice the 17k thus far exposed) have been apprised that their information either: 1) Has been – or – 2) Might be compromised. There really is no valid reason for any lag in a timely notification that sensitive data is at risk.
So how the heck does an employee expose sensitive information about 17,000 people? Well, according to the Yankees Organization, the employee “accidentally” (there’s that word again) attached a spreadsheet to an outbound e-mail. As stated in I.T. Wars: Errors have efficiencies too. Bad outcomes are no longer relegated to the travel of physical paper and a couple carbons… errors travel at the speed of electrons, to destinations of extraordinary number.
Mistakes will happen, but in this case it seems rather incredible. Spreadsheets and all files should have accurate names – particularly for sensitive information – that reflect, in a concise way, the sensitivity for each file’s contents.
Further, passwords and controls can be attached to files (upon their creation), forcing authentication when attaching sensitive information to e-mails. Also control systems are easily developed such that, when anyone attempts to attach/include particularly sensitive files (password protected or not) with an e-mail, a simple dialog box invokes a warning: This file has been marked as “Sensitive” – or – “Classified” – whatever… -it can even be auto-triggered by content (hey…), followed by: “Are you sure you want to include this file to these recipients?”
This can be applied in addition to other security measures of course: Access and control by virtue of login accounts with associated class-of-user, group network identities, and – limits to, and graduated levels of, access to areas of data based on experience, nature of work, and need.
Stay safe out there.
April 29th: On this day, in 1892, Charlie Reilly is baseball’s 1st pinch hitter.