Another Expensive Loss, This Time Due to Email

The headline said Lilly's $1 Billion E-Mailstrom. Katherine Eban opened with, "A secret memo meant for a colleague lands in a Times reporter's in-box."

The short version is that typing in a recipient's last name first expanded in the sender's email client (it could have been any email client) to a Times reporter with the same last name instead of the sender's co-counsel. That should never happen. But, it happens all the time. It usually has benign results. Why, just the other day I sent a short email message to a friend, I'll call him Andy Jones. I typed in his email address from memory: ajones@example.com. Except that wasn't his address. I did not get a reply, I knew he usually replied quickly, and I saw by his IM screen name that he was on and active. So, I looked up his email address to be sure. I had left out a letter. He used his middle name: abjones@example.com. Bummer. But, no harm done. It was short, nothing-secret-about-it kind of note. But, this story and my example, reminded me of something from a past company.

Up in the UNIX support group at Digital Equipment Corporation (DEC), in the olden days, everyone there used the same VAX computer, decvax. It was a major UUCP gateway (look it up—it's part of your history!). On this central computer, there was a mail aliases file. Usually, such a file is used for mailing list support. For example, ultrix-engineers might expand to the email addresses of the entire group of software engineers. That's a good use for distribution lists. One day a product manager sent a note out to internal folks about what she was working on, DECWindows. She sent it to what she thought was internal folks... not even a distribution list. She sent email to—and I am making up these names now: joe, mary, ken, tom, and jane.

The next day, she got a note from Ken Thompson at Bell Labs saying, basically, I don't think this was meant for me. See the developer she wanted to send to, Ken Smith, used his initials for his mailbox, kts. The mailbox "ken" ... well you see where it went to. It could have been worse. In that same file there was a mailbox "bill" which went to Bill Shannon and "joy" that did not go to Joy Dormat, but rather to Bill Joy. Shannon, formerly an employee of DEC UEG and Joy, formerly at UC Berkeley—which expains the "why?" of their emails being in the DEC aliases file—both had moved to Sun Microsystems, a major DEC competitor. Now, that wasn't the same problem as what happened to Lilly. Back then, email clients did not auto-complete addresses. It is a worse problem today. One types and the email client fills in a name, we hit and go on to typing the next name, and so on. It is a problem with some technical solutions, but solutions that we mostly ignore because "it just won't happen to us, and even if it did, what could happen?" There are solutions out there. I bet that Ely Lilly's outside law firm gets an email firewall.

(In the past, I've written about, lectured about, and reviewed products, and recommended policies, that mitigate risks like this. It really is old stuff, that has already been managed. We just don't bother. See my Secure E-mail Collection.)

No comments: