So my buddy, we’ll call him Bob, runs Data Loss Prevention (DLP) for a big company. DLP is software that limits what you can do with sensitive information, in order to block it from going out of the company. The NSA wasn’t using DLP back when Ed Snowden was working for them; they probably are now.
Sometimes DLP blocks people from sending their own personal information. Doing so is their right–it’s their information–but from a security point of view, I’m really glad DLP kept them from e-mailing their entire life around in plaintext.
From what Bob told me, the data was exactly that: It had all of this guy’s usernames and passwords, all of his security questions, his social security number and his passport, all of his bank account numbers, credit card numbers, his car payment, his mortgage, all of his wife’s and kid’s similar information. DLP blocked it because it saw things that looked like credit card numbers and social security numbers–DLP doesn’t have any way of knowing it’s your sensitive information.
“I couldn’t just steal this guy’s identity,” Bob said to me. “With that, I could steal it all. Empty his bank accounts, everything.”
“Then you could send in a 15-cent mortgage payment just to rub it in his face,” I suggested.
“Ah,” he said. “Or I could empty all of the savings accounts into the mortgage. If I do that, I haven’t stolen anything–but I’ve ruined his life for a long while.”
Of course, Bob wouldn’t do any of those things, because his employer knew when they hired him that he’d see this kind of stuff. Bob isn’t the problem though. The problem is anyone who might intercept the list on its way to your e-mail server, or someone who might get into your personal e-mail and find it.
I see stolen e-mail accounts frequently. Stealing an e-mail account is harder than it used to be, especially a Google or Hotmail account, but I still see it from time to time. And you’d better believe an e-mail attachment named passwords.xlsx is going to catch the attacker’s attention.
It’s great to have this kind of information in one place, but it needs to stay out of e-mail and off work computers. Print it out, put a copy in your safe deposit box. Put another copy in your safe at home if you have one, or in a desk drawer if you don’t. If you keep a Word or Excel document, encrypt it and put a strong password on it, and if you must e-mail it, e-mail the encrypted copy. Think about using a program like Keepass.
Stuff like this may not be in your company’s information security training, but maybe it ought to be. It’s something everyone needs to know.