Email auto-complete to blame? Nope. Expert blasts EQC’s ‘Mickey Mouse’ security

EQC boss Ian Simpson today blamed email auto-complete for a sensitive spreadsheet being sent to the wrong person.

The EQC will take further steps to ensure it does not happen again, he says.

It has addressed the immediate problem by switching off auto-complete to prevent future "human error" of not noticing if Outlook has picked the wrong person's name.

Rubbish, says Institute of IT Professionals CEO Paul Matthews.

“Just the fact they’re emailing spreadsheets means they’ve failed Security 101,” he told NBR Online. “That’s Mickey Mouse stuff.”

Sensitive information, such as the emailed spreadsheet’s cost estimates and other data on 87,000 Christchurch quake claims, should be stored on a central database that people have to log on to.

There are safeguards that can be put in place for email. Files can be encrypted. Microsoft Outlook, when combined with the right Exchange Server software, can be set to block certain files from being sent as attachments outside of an organisation. And Excel spreadsheets can be password protected.

But Mr Matthews says hacking an Excel password is trivial. There are free tools on the internet that will let a layman do it in no time.

And even if a spreadsheet is robustly protected, it is still much better to keep files in a database that cannot simply be emailed by a malicious employee set on a leak.

Simply, it’s email that is the problem. “Why the heck were they emailing people’s confidential data?,” the IITP boss asks.

“If EQC had the right culture of security they wouldn’t be emailing. It [the autocomplete blunder] is a consequence rather than the cause.”

Losing control
On a technical level, email has to go through several mail servers on its way to the recipient, which raises security issues.

But more so, the Mr Matthews notes that even if you email a spreadsheet to the correct person outside your organisation, “the moment you hit send, you lose control. You’ve just got to trust the person you’re sending it to. They simply shouldn’t email spreadsheets around.”

Mr Simpson said that beyond switching off auto-complete "there are a number of short term measures we can take to minimise the need to use email to circulate this sort of information. The fuller fix will take a little longer".

Good guidelines, not followed
State Services Commissioner Ian Rennie has asked government chief information officer Colin MacDonald to investigate the EQC security breach.

Mr MacDonald is already heading an inquiry into computer security across all Crown agencies after the Ministry of Social Development security breach, which came on the heels of the ACC mistakenly sending confidential files to claimant Bronwyn Pullar.

Earlier, a CIO who has held high-ranking government positions told NBR there was already a comprehensive, GCSB-authored computer security manual that all Crown agencies are meant to follow (most of the manual is publicaly available online here; some sections are redacted).

In areas such as printing, viewing, copying and emailing senstive data (or not), the manual offers solid, practical advice. Mr MacDonald's inquiry needed to focus on why it was not being followed.

ckeall@nbr.co.nz