The short version is that typing in a recipient's last name first expanded in the sender's email client (it could have been any email client) to a Times reporter with the same last name instead of the sender's co-counsel. That should never happen. But, it happens all the time. It usually has benign results. Why, just the other day I sent a short email message to a friend, I'll call him Andy Jones. I typed in his email address from memory: firstname.lastname@example.org. Except that wasn't his address. I did not get a reply, I knew he usually replied quickly, and I saw by his IM screen name that he was on and active. So, I looked up his email address to be sure. I had left out a letter. He used his middle name: email@example.com. Bummer. But, no harm done. It was short, nothing-secret-about-it kind of note. But, this story and my example, reminded me of something from a past company.
Up in the UNIX support group at Digital Equipment Corporation (DEC), in the olden days, everyone there used the same VAX computer, decvax. It was a major UUCP gateway (look it up—it's part of your history!). On this central computer, there was a mail aliases file. Usually, such a file is used for mailing list support. For example, ultrix-engineers might expand to the email addresses of the entire group of software engineers. That's a good use for distribution lists. One day a product manager sent a note out to internal folks about what she was working on, DECWindows. She sent it to what she thought was internal folks... not even a distribution list. She sent email to—and I am making up these names now: joe, mary, ken, tom, and jane.
The next day, she got a note from Ken Thompson at Bell Labs saying, basically, I don't think this was meant for me. See the developer she wanted to send to, Ken Smith, used his initials for his mailbox, kts. The mailbox "ken" ... well you see where it went to. It could have been worse. In that same file there was a mailbox "bill" which went to Bill Shannon and "joy" that did not go to Joy Dormat, but rather to Bill Joy. Shannon, formerly an employee of DEC UEG and Joy, formerly at UC Berkeley—which expains the "why?" of their emails being in the DEC aliases file—both had moved to Sun Microsystems, a major DEC competitor. Now, that wasn't the same problem as what happened to Lilly. Back then, email clients did not auto-complete addresses. It is a worse problem today. One types and the email client fills in a name, we hit
(In the past, I've written about, lectured about, and reviewed products, and recommended policies, that mitigate risks like this. It really is old stuff, that has already been managed. We just don't bother. See my Secure E-mail Collection.)