Should Email Address Breaches Be Notification-Worthy?
Brian Krebs raises the issue in his column in the Washington Post, “Should E-Mail Addresses Be Considered Private Data?” The question raises some fascinating economics questions and a possibly unique opportunity for interesting information security signals:
A database of e-mail addresses and other contact information stolen from business software provider Salesforce.com is being used in an ongoing series of targeted e-mail attacks against customers of several Salesforce.com business clients, including SunTrust and Automatic Data Processing Inc. (ADP), one of the nation’s largest payroll and tax services providers.
I have a few responses:
- First, I’m generally in favor of breach notice, as regular readers
are tired of hearing aboutwill know, and I’m always glad to see the debate extended chaotically. - Second, this would dramatically push up the overall cost of notifications, by requiring a rise in the quantity of notices.
- Third, I might be willing to entertain the “too many notices” idea a bit more around email addresses. Why that’s risky isn’t obvious to most people, who use addresses like bkrebs@, rather than adam+securityfix@whatever or securityfix@myvanitydomain.com. Is the disclosure of an address like bkrebs worthy of notice?
- Fourth, it’s not obvious what the security expectation really is here. I think of + addresses and vanity addresses as ways for me to dump junk mail, and track who’s selling it. If I tell my bank that my address is ddfc1a093efd108181d86f0bd90bcc6f@emergentchaos, I might well have an expectation that only they have it, along with their mail processor, my domain service provider who sends all emergentchaos email to me, my buddies who operate a mail server, and everyone sniffing a network if any of those players aren’t using “StartTLS for Opportunistic Email Encryption.” That’s a lot of people. I’m not sure it’s a reasonable assumption.
- [Updated to add] Email addresses such as that random string are a very useful part of an anti-phishing email strategy. If I sort email to ensure that only email to that address goes into a “bank” email folder, then phishing emails are far, far less effective because they’re in the wrong place.
I think that a bank could win points for customer service, and actively distinguish themselves for security purposes by offering to do this as part of their terms of service.
It’s actually a very interesting signal in that it’s somewhat hard to forge if the bank can be relied on to follow through. Each time you notify you’re reinforcing a message that you care about security, and that you’re willing to own up to mistakes.
Unfortunately, it’s easy to promise and not follow through at all, claiming that you’ve not been breached. (I’ve written more on signaling in “Security Signaling” and “Signaling by Counting Low Hanging Fruit?“)
In Europe they seem to qualify as PII. So, yes, be careful with email addresses.