In WW2 the UK Government ran a campaign called Loose Lips Sink Ships. It was a warning to be careful what you said in case it could be overheard. Fast forward to 2019 and it seems that few people have any filters about what they talk about in public or semi-public spaces.
In a blog by Lisa Forte from Red Goat Cyber Security, she recounts her experience of a conversation overheard in the ladies toilet. The toilet was open to members of the public but that didn’t deter two members of staff from a law firm complaining about a member of staff “Darren” who apparently took credit for work they did. It gets worse with Forte listing other areas of conversation such as:
- Who their top three clients were and the projects they were undertaking for them including dealing with a hostile takeover bid;
- Some new R&D the law firm had invested heavily in;
- Who the key members of staff were who were dealing with this R&D;
- Which members of staff were rumoured to be having an affair with one another along with the “evidence” these two ladies had to prove their suspicions;
- More info on the odious Darren, including his contact details and a plethora of reasons why everyone on the planet should hate him, and
- As the big finale- they read aloud what was presumably a highly sensitive email from a client and then proceeded to analyse it and mock the client.
People give out the most incredibly sensitive data in public
This case from Forte is not unusual. Sit around an airport lounge, on a train, in coffee shops, a hotel lobby or restaurants and there is a vast pool of information to pick up.
It is not just law firms that should know better. Having breakfast in a café near a government department was a case in point for me. Most mornings, members of that department get their breakfast and morning coffee while discussing their workload and any cases they were working on. The level of information was truly surprising, yet nobody considered it wrong as the café was treated as an extension of the office canteen.
On trains, I’ve sat opposite people calling their banks and credit card companies, giving out their security information when asked. They even make purchases over the phone giving away all the details of their credit cards without any worry.
At airport lounges, the conversations are often about deals that enterprises are involved in. the level of detail is truly scary. On a flight a few years ago, four journalists sitting behind senior sales people for a technology company were treated to several hours of detailed confidential information. The look of fear on their faces when, as everyone deplaned, the journalists handed over their business cards was surprising.
Shop workers just as guilty
Businesses are just as much of a problem. I was alerted to Forte’s blog by Serrie Chapman, Founder, Women’s Tech Jobs. Chapman shared her experience of being in a branch of Currys PC World recently.
Chapman said: “I was looking for a network cable in PC world one day when they were taking a couples full details for an account, address, credit card details, DOB, place of Birth etc. I was completely shocked as it was on the shop floor. I even knew the names and date of births of their children and when they got married. They only just stopped short of asking their bank account online password.”
While the shop might have required some of this information it is questionable as to how much it really did need. Completing a store credit application often results in significant over acquisition of data. The fact that this was done on the shop floor, in the hearing of other shoppers is truly staggering. The problem is that many shops don’t have rooms where they can take details from customers. This increases the risk of being overheard.
For the couple concerned, the data listed would allow anyone else to now impersonate them. They would have no idea where the data was acquired. The long term implications of identity theft last for years. This is something that we have asked Currys PC World for a statement on but have heard nothing.
Enterprise Times: What does this mean
Data security is a serious problem. This type of data leakage, be it personal or business data, is often not even recognised by people. That does not mean that the implications are not serious. Imagine if Forte had contacted the client whose email was being read out. The implications of that call could have far reaching consequences for the firm and its employees.
There are other business threatening issues here. Confidential data leaked to a newspaper or put into the public domain would have organisations looking for a data breach. This is a costly exercise and has regulatory and compliance implications. In this case there is nothing for IT department to find which, in itself, creates more complex concerns from a security perspective.
Even at the personal level there are business implications. The data gathered by Currys is more than enough for identity takeover and spear phishing. An email supposedly from Currys would have a high chance of being opened and any links clicked on. This could lead to malware being downloaded and the local machine or even office machines being infected.
Sadly, there is little that can be done about this. People will often deny doing it. If you try and tell them they either look blankly at you or say you shouldn’t have been listening. For all the technology we invest in, we still need to educate employees to think.