-Tom Lidikay

As reported by Gizmodo, Commonwealth bank of australia admitted staff mistakenly sent 651 emails containing customer data to the wrong email address.

As opposed to using the “cba.com.au” domain, staff sent messages to the “cba” domain, previously owned by an american Cyber security firm. Fortunately, if you are going to pick a place to accidentally send data, its difficult to think of a safer place.

Reportedly they “solved” the issue by internally blocking emails to the .com domain, and eventually purchasing the domain outright.

 

The more baffling issue here, is why they are using email to send confidential data at all.

 

The current implementation of email has its roots way back into internet history, back to the times of the ARPANET, the government run precursor to the networks we use today. Simple Mail Transfer Protocol (SMTP) was developed at a time when security on computers was just beginning to be a purely academic subject, and very few lacked the skills or the access to implement an attack.

Nowadays, email has begun to show its age, and lacks a replacement only because of so much legacy hardware that continues to run. No suitable replacement exists that covers everyones use cases.

Email is so full of security holes, that its ridiculous.

mail client exploits

sender spoofing

Not to mention the lack luster state that is attempts at email encryption, which follow a “better than nothing” approach.

 

There should be no reason whatsoever to use email for things other than notes, scheduling meetings, and basic text conversation that you wouldn’t be ruined by if it was made public.

But we continue to shoehorn this aging, dilapidated protocol into a file transfer tool. Maximum attachment sizes on mail servers continue to grow, despite the lamentations of the technicians who maintain the systems.

 

We are inundated with other means of transporting files securely, with things such as SFTP, Samba, HTTPS transfers, even my company makes a utility to assist with these kinds of file transfers.

Yet we continue to do things the insecure way, and embarassing news articles continue to be released about these bone-headed screwups.

Users need to be trained, and executive personnel need to make a commitment to investing in their organization’s security. It is hard to fathom why they would not, given mandatory disclosure laws and the bad publicity that comes with a breach like this.