Thursday, January 27, 2005

E-mailing sensitive personal information after collecting it securely

Risks Digest is a great source of information about the everyday risks the we face. Often, it carries examples of privacy risks. The latest issue contains a submission about an insecure practice that ... though sensitve personal information is collected securely using web-browser encryption, the information then treated pretty causally.

The Risks Digest Volume 23: Issue 68:

"HTTPS .ne. secure

Fri, 21 Jan 2005 7:25:35 -0500

I recently filed a change of address for some Qwest stock I own. Qwest uses The Bank of New York ( to manage stock accounts, so I went to their web page, and filled out the form using name, address, SSN, and account number. Checked for the padlock indicating HTTPS, and convinced there was *some* degree of due diligence, submitted the form. The confirmation screen starred out all but the last four digits of the SSN (i.e., ***-**-9999), which seemed reasonable.

Last night I got back an e-mail that they couldn't process my change request (the reason is unimportant), and included in the text of the message my name, e-mail address, account number, and SSN. No stars this time to shield sensitive information. Seems like a pretty useful e-mail to intercept!

What kind of security policies allow including this sort of information? The security & privacy policies don't say anything about safeguarding customer information.

If anyone has a privacy/security contact at Bank of New York, I'd certainly be interested in talking to them!

(This is certainly not a new type of problem; see RISKS 21.83 for another example I wrote about 3 years ago.)"

No comments: