With the number and sophistication of cyber attacks increasing significantly, organisations have had to become aware and adapt to new and evolving digital threats. Yet, many would still consider the simple error of sending an email to the wrong contact trivial, at most embarrassing, but not of concern when it comes to data security. However, misaddressed emails have far-reaching consequences that can seriously impact an organisation, especially in highly regulated industries such as healthcare and finance. From fines to data breaches, what are the potential ramifications of sending an email to the wrong address?
Reputational and Financial Damage
BitMEX, one of the world’s largest cryptocurrency trading platforms accidentally leaked thousands of private customer email addresses when they sent out a mass mailshot without using the BCC function. While the company maintains that customer privacy remains a top priority, its customers were left wondering how they could trust BitMEX with huge personal assets in the aftermath of this data protection failure.
A similar incident in 2018 led to the Independent Inquiry into Child Sexual Abuse (IICSA) being fined £200,000 by the Information Commissioner’s Office (ICO) for failing to protect the identity of possible victims of child abuse after a human error accidentally exposed victim identities to third parties, when they included their email addresses in the ‘To’ rather than ‘BCC’ field. In the age of increased data protection regulations, this example demonstrates just how seriously the ICO takes these types of data breaches. The pain of embarrassment from sending an email to the wrong contact pales in comparison to the business pain from financial penalties.
Intellectual Property Loss
Should confidential corporate information fall into the wrong hands, the consequences could be devastating. Crucial company information such as trade secrets or blueprints of an unpatented new product leaking into the public domain could easily be intercepted by the competition, resulting in a lost competitive advantage.
All it takes is a simple missed or added character in the email address, autocorrect taking over, or simply pressing send too soon and the information that was once confidential is sitting in the wrong inbox. It could be that of an unknown individual, competitor, or even a cyber-criminal.
In 2018, Commonwealth Bank staff inadvertently sent 651 emails to an overseas company as they forgot to include ‘.au’ at the end of the domain that should have read ‘cba.com.au’. This data leak occurred over a long period without anyone noticing, so could have potentially exposed sensitive company data or private customer information to competitors, putting the company at serious risk. However, luckily on this occasion, the company confirmed that no customer data had been compromised.
Hackers can capitalise on this complacent email culture by cleverly disguising emails to look like they are coming from inside the company, but actually, have a similar spoofed domain name that the employee would probably fail to spot on a first glance. Potentially opening the organisation up to a devastating hacking, malware or ransomware attack and a clear reason why Business Email Compromise (BEC) scams continue to be popular with cybercriminals.