Ever Heard of "bcc:"?

The Hole :On June 13, 2005, the University of Kansas Office of Student Financial Aid sent out an e-mail to 119 students, informing them that their failing grades put them at risk of losing their financial aid. The e-mail included all 119 students' names within the e-mail address list.

The Problem : Besides embarrassing their students, university administrators may have violated the US Department of Education's Family Education Rights and Privacy Act, which protects the privacy of students' grades and financial situations.

The Solution: First, companies need a policy that explicitly states what can and cannot be sent out via e-mail or IM. "A lot of companies don't have good acceptable-use policies for e-mail," says Michael Osterman, founder of Osterman Research. He suggests that they map out how employees should handle confidential information, offer them training and have them sign a one-page document stating that they have taken the course and understand what to do. University off Kansas officials say they have "undertaken internal measures - such as reviewing e-mail and privacy policies, and training staff - to ensure it does not happen again".

Osterman also suggests that CIOs add an outbound scanning system to the existing e-mail system that looks for sensitive content in e-mails (such as 16-digit numbers, which could be credit card numbers). He says these systems are inexpensive and are offered by scores of messaging vendors; some vendors will even do a complimentary scan of a company's messages to see how bad it might be. One vendor that he's familiar with started scanning a new customer's network and found 10 violations in 10 minutes.

No One Noticed? Really?

The Hole:Orazio Lembo made millions by purchasing account information from eight bank employees who worked at several financial institutions, including Bank of America, Commerce Bank, PNC, Wachovia and others. Lembo paid $US10 for each pilfered account. Most of the felonious employees were high-level, but two bank tellers were also arrested. Lembo had approximately 676,000 accounts in his database, according to Captain Frank Lomia of the Hackensack, New Jersey Police Department, an official investigating Lembo.

The Problem: Captain Lomia says that many of Lembo's contacts usually accessed and sold 100 to 200 accounts a week - but one managed to access 500 in one week. "What surprised me is that someone could look at 500 accounts and have no one notice," he says.

The Solution : CIOs, with the help of the HR, security and audit functions, need to institute a clearly defined policy on who has access to what information, how they can access it and how often. With the ever-increasing focus on governance, compliance and controls have to be on the top of a CIO's to-do list. "Through all the phases of information creation to maintenance and storage and destruction," asks PwC's Lobel, "do you have that data classification and life cycle process, and do people know what it is?" Lobel says many of his clients have compliance controls, but employees either don't know such controls exist or aren't clear where they apply. "User education is not easy, but it is worth the effort," he says.

ChoicePoint's Bad Choice

The Hole : Criminals posing as small-business owners accessed the information - names, addresses and Social Security numbers - of 145,000 ChoicePoint customers.

The Problem : Call it what you will - fraud, "social engineering", the Kevin Mitnick effect - this was one really glaring example of how these kinds of attacks are plaguing companies. Lobel says commercial enterprises could improve when it comes to training users about social engineering - hackers targeting well-meaning users over the phone or Internet to obtain private information such as passwords. "We're always going to find somebody who doesn't know what they shouldn't be doing," he says.

The Solution : CIOs should make sure that both users and customers are adequately trained in how to recognize and respond to phishing and other related attacks - especially before they go out and hire a company such as PwC to audit their user base. "[CIOs] should spend their money on a [training] program rather than on testing," Lobel says. ChoicePoint claims that it has strengthened its customer-credentialling procedures and is re-credentialling broad segments of its customer base, including its small-business customers.