Networkworld.com is reporting that McAfee has had a small data breach of sorts. It’s ironic on so many levels because McAfee is a data security company; they market a solution for e-mail security; and the people involved in the breach were attendees of a security conference.
The lost information is, well, quite personal on some levels, but not exactly the type of data I’d feel requires the use of data encryption like AlertBoot.
According to the story, an attachment that contained the information of all 1,408 people was included in a thank-you e-mail sent to conference attendees. The information included “names, numbers (telephone numbers?), e-mail addresses, employment details, and…dietary requirements.”
Not exactly scandalous. I mean, so 1,407 people might now know that another guy is lactose intolerant, or needs a kosher meal, or requires that only blue M&Ms be served because he’s a rock-star-turned-security-guru.
Meh. Worse things have happened; although, I must admit McAfee does have a slightly embarrassing situation. It’ll blow over, though. (Unless it mushrooms into something bigger such as, say, McAfee filing a lawsuit against the guy who “leaked” this information. Now that would be scandalous.)
Layered Security Has Its Limits, Too
That being said, the above is also indicative of why one needs to approach data security in a layered manner. Many people deploy some kind–any kind–of data security solution and then expect to be “secure.” This is like expecting a contract with ADT will prevent one from experiencing break-ins, so locking doors and shutting windows is neglected. That’s no way to approach security–data or otherwise.
But, in the above case, even if McAfee had all the correct security software in place, it probably wouldn’t have caught the data breach. Why?
Because the above information is not that critical. Nobody (OK, almost nobody) creates a data security policy based on the fact that e-mail addresses and phone numbers exist on a spreadsheet. This stuff gets exchanged all the time–heck, most of the time, and that’s the intention.
If you do create a data security policy flagging attachments with e-mail addresses and numbers, though–in order to prevent a similar McAfee e-mail snafu–you’re going to generate false positives (stopping e-mails with attachments that are supposed to have those attachments) more than anything else.
About the only way to prevent McAfee’s data-peccadillo from happening is to have people pay attention to what they’re doing…you can’t package and sell that, unfortunately, which is the ultimate reason why you can’t have 100% data security.
Related Articles and Sites: