THE BLOG

It Took Just One Email to Compromise the Leaders of the Free World

04/02/2015 07:07 am ET | Updated Jun 02, 2015
ASSOCIATED PRESS

Whether an autofill mishap or a "What in the name of God were you thinking?" move, somebody's shrimp is on the barbie at Australia's immigration department after an officer there emailed President Obama's passport number and other personal information to an organizer at the Asian Cup football tournament. And before you think otherwise: Yeah, it matters.

An Australian freedom of information request recently revealed that the personally identifiable information (PII) of many of the world leaders who attended last year's G20 summit in Brisbane -- including President Obama, Russian President Vladimir Putin, German Chancellor Angela Merkel, China's President Xi Jinping, India's Prime Minister Narendra Modi, Japan's Prime Minister Shinzo Abe and UK Prime Minister David Cameron -- was accidentally leaked by a government employee. Worse, there was an attempt to sweep this mess under the rug.

The freedom of information request revealed that an immigration official notified Australia's privacy commissioner about the walkabout presidential/prime ministerial PII shortly after the misdirected email was received by its startled recipient.

"The personal information which has been breached," an email notifying the privacy commissioner stated, "is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (i.e., prime ministers, presidents and their equivalents) attending the G20 leaders summit."

"The cause of the breach was human error. [Redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person's details into the email 'To' field. This led to the email being sent to the wrong person.

"The matter was brought to my attention directly by [redacted] immediately after receiving an email from [the recipient] informing them that they had sent the email to the wrong person.

"The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach."

The decision not to inform any of the world leaders was based on the fact that the recipient of the wayward email had deleted it from their computer and then deleted the deleted email from the "deleted items" folder.

The Inevitable Weak Link

Unlike code, with its right/wrong, open/closed approach to data, humans make a lot of mistakes. Sometimes those mistakes have catastrophic results. The Target breach is a good example of this. The retailing icon didn't properly segment data, and someone at a heating and air conditioning company with a Target contract, and unknowing access to far more systems than anyone could have imagined, clicked on a phishing link in a fraudulent email that ultimately allowed hackers to access its point-of-sale systems -- in other words, human error. Subsequently, multiple warnings from Target's own security protocols -- indicating the presence of malware -- were overridden by someone(s), also human error.

In the G20 instance, the damage was most likely not great -- at least to the world leaders in question. That said, Steve Wilson, a principal analyst focusing on digital identity and privacy at Constellation Research told the Guardian, "What I'd be worried about is whether that level of detail could be used to index those people in different databases to find out more things about them."

Wilson went on to hypothesize: "If you had access to other commercial data sources you could probably start to unpack their travel details, and that would be a security risk."

Now comes the unavoidable question: When it involves the protection of a president or prime minister, is "most likely safe" an acceptable standard? For a government employee to send out such internationally sensitive information in an email and for a privacy commissioner to decide not to notify anyone that the breach had occurred needs to get tagged as "human error" as well. (If anyone should know better, one would assume it might be the "privacy" commissioner, yes?) One of the more crucial protocols in a data compromise is transparency, at least with respect to those who have been exposed. If you're not aware of the fact that you are in harm's way, how can you possibly protect yourself?

You may remember the scene in the 2006 remake of the Pink Panther where Clouseau, played by Steve Martin, gets his hand stuck inside a vase. He asks the casino owner if the item is valuable, and is told that it's a worthless imitation. Mindful of that information, Clouseau slams the vase on a desk to free his hand, breaking both in the process.

"But that desk," the casino owner says, "was priceless."

So now anyone wanting to get their hands on that PII knows where it isn't, but they also have some clues as to how to piece it together, and where it might be. (Of course, no hacker has ever raised deleted files from the dead.) They also now know that Australia has porous defenses, even if their vulnerabilities exist only at the level of a human resources failure to properly train employees on data security best practices. But then there's the question of the privacy commissioner's handling of the situation, which none of this explains. Sigh...

The leak of PII belonging to world leaders is an extremely serious matter. For years many have warned that any system is only as secure as its weakest link ... and that humans are almost always the weakest link. So the beat goes on.