031
Our research analyzed traffic sent externally from
organizations. We examined both HTTP and SMTP
traffic. In other words, when emails were sent to an
external recipient, a Check Point device inspected the
email body, email recipients and attachments including
zipped files. We also inspected web browsing activities
such as web posts and web mails. As a security policy for
these devices, we configured out-of-the-box pre-defined
data types to detect sensitive data, forms and templates
(e.g. credit card numbers, source code, financial data
and others) that may indicate a potential data leak to
illegitimate recipients. A detailed list of researched data
types can be found in Appendix D.
Potential Data Loss in Your Organization
Our findings reveal that 54% of organizations in our
research had at least one event which may indicate a
potential data loss occurrence over a 6-day average period.
We considered events that included internal information
Here are some examples of unintentional data loss
incidents caused by employees in 2012.
In October 2012,
Stoke-on-Trent City Council
in the UK was fined £120,000 after a member of its
legal department sent emails containing sensitive
information to the wrong address. 11 emails intended
for a lawyer working on a case were sent to another
email address due to a typing mistake.
Japan’s newspaper
Yomiuri Shimbun
fired one of
its reporters in October 2012 for accidentally sending
sensitive investigative information to the wrong
recipients. The reporter meant to send some of his
research findings to his colleagues via email, but instead,
he sent the messages to several media outlets, disclosing
the identities of his sources
24
.
In April 2012,
Virginia Military Institute
in
Lexington inadvertently sent out students’ grade
point averages via an email attachment. The original
intention was to email a single spreadsheet that
contained names and residences so that students
can confirm their mailing addresses
25
. Instead, the
school sent an email to the graduating class president
containing that spreadsheet along with another
confidential spreadsheet which listed the grade
point averages of every senior student. Unaware of
the second spreadsheet, the president forwarded the
message to 258 students.
Texas A&M University
accidentally sent an email
with an attachment containing 4,000 former students’
Social Security numbers, names and addresses to an
individual who subsequently notified the university of
the mistake. The incident took place in April 2012
26
.
Oops… I Sent the Email
to the Wrong Address
61
%
Finance
50
%
Industrial
45
%
Telco
33
%
Consulting
54
%
Others
70
%
Government
Percentage of Organizations with at least
One Potential Data Loss Event by Industry
(% of Organizations)
Chart 4-A
ׁ
Source: Check Point Software Technologies
