2013 CHECK POINT ANNUAL SECURITY REPORT
04
_ DATA LOSS INCIDENTS IN YOUR NETWORK
032
(see list of data types in Appendix D) which were sent
to external destinations either by email or other online
posting means.
Our findings, as depicted on Chart 4-A, indicate that
Government and Financial organizations were at the
highest risk of potential data loss.
Internal Emails Sent Outside of the
Organization
In many cases, data loss events occur unintentionally
through employees sending email communications to
the wrong recipients. Our research looked at two types
of emails that may indicate such incidents. The first type
consisted of emails that were sent with internal visible
recipients (i.e. To and CC) and external recipients in
the BCC field. Such emails, in most cases, seemed to be
internal but actually left the company. The second type
consisted of emails sent to several internal recipients
and a single external party. Such emails were usually sent
unintentionally to a wrong external recipient. One or both
of these types of events were found in 28% of organizations
examined.
What Types of Data Do Employees Send to
External Recipients or Post Online?
Chart 4-C shows the top data types sent to parties outside
of the organization. Credit card information led the list,
while source code and password protected files registered
second and third respectively.
Is your Organization PCI Compliant?
Staff members routinely send credit card numbers over
the Internet - their own and their customers’. Employees
send customer payment receipts that contain credit card
information in email attachments. They reply to customer
emails that contain credit card information in the original
email body text. At times, employees even send spreadsheets
with customer data to private email accounts or to email
addresses of business partners. Often, credit card number-
related incidents resulted due to broken business processes
or employees’ lack of attention and awareness. Such incidents
may indicate that the corporate security policy does not
meet the objective of promoting secure and careful use of
corporate property.
Moreover, sending credit card numbers over the Internet
is not compliant with PCI DSS requirement 4, which
mandates that cardholder data must be encrypted during
transmission across open public networks. Failing to
comply with PCI DSS can result in a damaged corporate
reputation, lawsuits, insurance claims, cancelled accounts,
payment card issues, and government fines.
Our research inspected outgoing traffic from organizations
and scanned the content of all message parts, including
attachments and archives. We also searched for emails
containing credit card numbers or cardholder data. The
inspections were based on regular expressions, validation of
check digits, and PCI DSS compliance regulations.
36
%
Finance
26
%
Industrial
18
%
Telco
11
%
Consulting
26
%
Other
47
%
Government
Percentage of Organizations by Industry
in which Credit Card Information was
Sent Externally
(% of Organizations)
In 28% of TEST Organizations
an Internal Email
was Found to be Sent
to an External
Recipient
Chart 4-B
Source: Check Point Software Technologies
