Posted by: Ken Harthun
data breach, Security, security awareness, Security policy, Security practice
*A fax was received by a former employer related to COBRA medical insurance coverage that I need to reapply for.
*An email was sent to me with the fax attached as a PDF file.
*Among the pages of the fax contained in that PDF was an “example” of how an attest form should be filled out.
*That form contained the full name and SSN of the “example” insured person, the employer group number, employer name, and certain other key pieces of information.
I was appalled! So, in the interest of security research, I did a quick and dirty check. With nothing more than a couple of simple Google searches, I was able to gain other information that would have allowed me social-engineer my way into a complete impersonation of the “example” insured person.
Naturally, I won’t go into details about what I found and how I found it, but this should serve as a wonderful example of how most people are completely oblivious of the security consequences of mishandling sensitive information.
The first failure occurred at management level of the insurance company where proper controls and procedures were not in place to catch an employee’s security breach. Sending a copy of an actual form instead of an invented one as an “example” of how to complete the documentation should not have been an option. Someone dropped the ball big time here.
The second failure occurred in the lack of security consciousness training of employees who deal with sensitive information. How could the person responsible for sending the fax have let such a thing get past them? The form didn’t say “Jane Doe,” it was a real person’s name; the SSN wasn’t “123-45-6789,” it was an actual SSN; the company name didn’t read “ACME Widgets,” it was a real business name; and, the employee who filled out and attested to the form was an actual employee.
The last weak link in the chain was the administrative person who forwarded the PDF–via email in clear text, not encrypted–to me. That person probably didn’t even look at it–it was just one more thing to do in an already too-busy day.
If you’re in Information Security at any level, things like this should make it obvious that there’s real truth in the statement, “Be afraid, be very afraid…”
I’m joking, of course, but we’re not going to escape that the weakest link in the security chain is the people responsible for it.