EQC email mishap

Forums › Off topic › EQC email mishap

CapBBeard

202 posts

Master Geek

# 115446 26-Mar-2013 12:36

Hey all,

Having heard the news about the mistake at EQC resulting in claim details being sent to external parties (and one that has it in for EQC at that), our senior management have started to question whether we would be at risk here (as they had heard it was a 'system issue'). In this instance EQC are blaming Outlook's autocorrect functionality for the mistake.

Please see http://www.nbr.co.nz/article/privacy-commissioner-thinks-about-writing-letter-eqc-admits-breach-affected-83000-ck-137700 for a source if you are unfamiliar.

I was keen to hear others take on the whole situation. I know that auto-correct is absolutely loved by our staff here, many of whom are not massively literate computer users, so they appreciate the time savings it provides them.

Of course, human mistakes are always going to happen, I'd suggest the EQC case was a rather unfortunate one. Disabling email auto-correct as a whole seems somewhat knee-jerk to me though. Taking a step back I think emailing large documents arounds the office (for purely internal use even) was perhaps the bigger issue.

I've suggested we implement a policy of only ever sending references into our document management system around, that way if there is a mistake and something is sent to an external party, they will not be able to access the document, and really it's no harder for our staff (not to mention the other benefits - avoiding large attachments, duplicating data, etc). This generally happens now anyway, but I think it is perhaps a good time to formalise it a bit more.

Of course, always being vigilant about who you are sending to, and what you are sending them, is important!

Thoughts?

nate

6357 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

# 787273 26-Mar-2013 14:52

One person supports this post

My reply I am making a bucketload of assumptions. I am not privy to the exact details, however I'm guessing on what I think has happened.

A recipient with a business relationship with the EQC has asked for a set of data to fulfill a proposal or giving a costing for some reason. The staff member wasn't able to fulfill this in their internal system, so they exported all the data, modified it into the spreadsheet and accidentally emailed it to the wrong recipient. Innocent enough to fulfill a need.

The big hole I'm seeing is their internal system should not allow for mass exporting of data. Everything should be done within the system (securely) with NO exporting functions whatsoever. If a third party needs access, this should be severely limited to exactly what they need with no deviations. As soon as that requirement has been completed, their access is disconnected.

Everyone makes mistakes. What amazes me is one person got this data, informed the EQC and destroyed it. The ramifications of this could've been massive, however they weren't. Give the employee are warning, improve your internal processes and move on from there.

mattwnz

15024 posts

Uber Geek

# 787281 26-Mar-2013 15:04

I think what people want to know is why the processes weren't in place initially, and should they even be using off the shelf outlook software. These heads do get paid an obscene amount, and you would hope they are employing companies at the top of the pack to implement their systems for them. I do think it is a substantial failure of their systems, considering their size and the amount they get paid. It shouldn't need human error like this to find a weakness in their systems. But NZ does tend to an an ambulance at the bottom of the cliff country.
I do however like how they did come out and admit the problem, and have been open about it. They should be commended for that.

alasta

4347 posts

Uber Geek

Trusted

Subscriber

# 787602 26-Mar-2013 22:43

nate: The big hole I'm seeing is their internal system should not allow for mass exporting of data. Everything should be done within the system (securely) with NO exporting functions whatsoever.

In an idealistic sense I agree with you, but having worked for corporates for many years I know that underinvestment in infrastructure and the need for flexibility tend to lead to the overuse of spreadsheets for analysing or extracting vast amounts of data. It shouldn't really happen, but it's just the reality.

Fundamentally I think the problem here is that workplace email systems don't draw a clear boundary between internal vs external communication. When you prepare a new email you select recipients in exactly the same way, use the same application, and have the same opportunity to attach files irrespective of whether the recipients are internal or external.

I don't know exactly what the solution is, but without some sort of ring-fencing I suspect that a lot of organisations are a lot more vulnerable to this sort of thing than they would like to think.

Regs

Infrastructure Geek
4057 posts

Uber Geek

Trusted

Microsoft NZ

Subscriber

# 787628 26-Mar-2013 23:33

mattwnz: and should they even be using off the shelf outlook software.

not really sure what to make of that comment. 'autocorrect' for recipients isnt a feature limited to outlook, and what would you replace it with? a closed email system that didnt allow external recipients to receive emails?

there are solutions available for -any- email system that can 'quarantine' outgoing attachments. some of them are probably clever enough to look inside a spreadsheet file and stop an email if the file contains more than 'X' rows. this is one option that might help prevent a data leak externally while still allowing some flexibility within the organisation.

as for EQC having some massive integrated systems in place to do their job in a specific way, we have to remember that, post the christchurch quake, their 'business' has probably changed substantially. its not like they have been rebuilding whole cities every year since first introducing systems.

I can just see the headlines now... "EQC spends time building new $3m IT system to better serve 'customers' and reduce privacy breaches. The project will take 3 years to complete and will cause delays to existing claims by up to 1 year"

an organisation typically has priorities for projects, and i can imagine that a ground up rebuild of their internal systems is somewhere low down on that list.

Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs

shrub

503 posts

Ultimate Geek

# 787659 27-Mar-2013 08:10

I think the main issue is why are they are using xls to view there database?

Cambo

103 posts

Master Geek

# 787677 27-Mar-2013 09:08

The NBR report says that the recipient was sent an Excel pivot-table.
A pivot-table should never be sent to an external party because the raw data is still sitting on the document.
At least high-light the portion that the party requires, copy & paste into a new doc, and then send it.

I'm usually a fence-sitter, benefit of the doubt kinda guy, but in this case it comes down to user error. Basic PEBCAK.
Always double-check your e-mail recipient is correct, and always make sure the attachment is correct.

jonherries

1075 posts

Uber Geek

Subscriber

# 787684 27-Mar-2013 09:34

I can see how it happens, especially in large organisations. We are lucky in healthcare that we have an anonymous identifier (National Health Identifier or NHI) which is 3 alpha 3 number 1 checksum character which we use for everything.

The only way to tie it back to a name and address is doing it manually, which we don't need to do. Having it means we can usually use our data comparatively safely. It is also good because we generally only do analysis to a TLA or Domicile code level so don't need addresses either.

Ironically it seems that even though we have this, we are paranoid about the EQC thing happening at my employer. Some of the guys did some analysis last year about how we could add age, domicile code, ethnicity, gender and all the other data (like GP or service providers) we have, to peg a NHI to a name and address when combining it with public data sources eg. whitepages and voting register.

Suffice to say that would take a lot of effort and time, it would probably be faster and easier to hack our system.

Jon

khull

1245 posts

Uber Geek

# 787714 27-Mar-2013 10:32

It is a business process issue, not a technical one. Sensitive information should be encrypted, there are tools available and can be deployed across assets.

I am familiar with the tools used in the insurance industry and know that exporting that amount of specific data is not supported. That would be a data warehousing task that was specifically obtained from the back end database for a particular purpose.

minimoke

717 posts

Ultimate Geek

# 787977 27-Mar-2013 14:28

A basic tenet of security is you put most of your security resource closest to the thing of most value.

In EQC’s case the thing of most value is the whole database. You do not let those without appropriate clearance near the whole data base. You do not replicate the database – full stop end of story. If data is let out it is done so in a small piece and in a controlled manner; its ring fenced / followed with security and returned back to the main data base or destroyed

If the tenet is applied the risk of a breach in security is minimised.

That there was a breach is an indication of incompetence. But that is no surprise. This is an organisation that is simply unskilled, at all organisational levels,with managing claims of this magnitude. It is out of its depth and it always was going to be from September 11

If I could implement one EQC change it would be that an EQC levy is paid but the insurance company manages the claim. Cut EQC right out of the equation.

mattwnz

15024 posts

Uber Geek

# 787982 27-Mar-2013 14:32

I thought there was some tool that could be applied to documents that prevented them being sent out from an organisation, so they could only be viewed and edited inhouse. A bit like library books that have a chip in them, which don't allow them to exit the building. If it does get sent outside the orgainsation its encrypted so is not viewable anyway to anyone outside the orgaisation without the key.If there isn't such a tool it could be a multi billion dollar idea.

Regs

Infrastructure Geek
4057 posts

Uber Geek

Trusted

Microsoft NZ

Subscriber

# 788210 27-Mar-2013 20:02

mattwnz: I thought there was some tool that could be applied to documents that prevented them being sent out from an organisation, so they could only be viewed and edited inhouse. A bit like library books that have a chip in them, which don't allow them to exit the building. If it does get sent outside the orgainsation its encrypted so is not viewable anyway to anyone outside the orgaisation without the key.If there isn't such a tool it could be a multi billion dollar idea.

You can implement a DRM (digital rights management server) and use it with Exchange/Outlook, and Office apps (Word/Excel/Powerpoint etc) to enforce rights on documents. This would definitely stop an external party from accessing a DRM'd document (unless they break encryption).

Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs

scuwp

3189 posts

Uber Geek

# 788233 27-Mar-2013 20:46

2 people support this post

= storm in a teacup IMO.

yes by all means protect your documents, but the way these things play out these days just makes my skin crawl.

A few years ago no one would have given a toss. Someone made a boo boo (it happens to the best of us) and in days gone by the recipient would have had some modicum of respect and discretion, would have deleted the email (or returned the envelope UNOPENED) and politely advised the sender. End of story, everyone would have got on with life.

Now everyone wants to score political points, have their 5 minutes of fame, and the media blow the whole thing out of all proportion...as sensationalist as our media have now become.

Just my 2 cents...

Always be yourself, unless you can be Batman, then always be the Batman

JamesL

956 posts

Ultimate Geek
Inactive user

# 788862 28-Mar-2013 18:29

http://www.stuff.co.nz/national/politics/8485413/EQC-email-system-shut-down

Knee jerk SHUT IT DOWN!