Please do keep this email and the information included within it strictly private and confidential.
Quickest way ever to get the contents dropped on social media.
British clothes retailer Fatface has infuriated some customers by telling them "an unauthorised third party" gained access to systems holding their data earlier this year, and then asking them to keep news of the blunder to themselves. Several people wrote into The Register to let us know about the personal data leak, with …
Agreed.
But here's an interesting twist. An organization drafts an email like this one – and note the one shown in the article is fairly long. Pick a dozen words with suitable synonyms and phrases that can be reworded, and make a list of their positions and alternatives. Now you can mechanically generate 212 different email messages that have the same semantic content but are unique.
Assuming you have fewer than 4096 recipients (find more alternative pairs if you have more), you can take your mailing list, compute a perfect hash, and use the binary representations of those values to select which alternative for each pair to use.
Now when a message leaks, you can instantly identify the leaker. All you need are the list of alternatives, the list of recipients, and the hash function. (This is not innovative; it's the same approach people used to find "birthday" collisions for digital signatures that used hash functions with too-short images.)
I doubt Fatface has anyone clever enough to do this sort of thing, but it's entirely possible to trace social-media leaks of "confidential" messages this way.
"Now when a message leaks, you can instantly identify the leaker."
And then what? You sent me an unsolicited email asking me to keep it confidential which I shared. What are you going to do now?
I never agreed to you catagorising the issue as confidential. The worst you can do is refuse to accept my future business, which I am unlikely to give to you anyway after this fiasco.
They all spout the same utter bollocks about how they do take data security really, really, very really seriously Indeed.
The only reason I read this article was because I misread the headline shop name as "Fartface". I need more beer I think...
So a very quick look at the jobs...
IT Application Support Analyst
What caught my eye:
Experience of common data reporting and analysis tools, including SQL Reporting Services (SSRS), Excel with external data connections, and VBA Macros
Excel and VBA macros... :)
No jobs advertised for Security Analyst though.
"More Red Face now."
Not for long if past experience shows anything. Even massive data breaches accompanied by fatuous follow-ups (see Equifax, who actually offered their own credit monitoring service after their own data breach) don't seem to hit business for more than a few months, if that.
Considering the quality of the notification email, Fathead might be a better name for their business. Oh well, I'm not a customer, so at least I got a laugh out of the "Strictly Private and Confidential". It reminded me of the "don't tell anyone, but ..." rumor spreading technique pre-social media. When you really, really want people to tell the world, then just tell them it's a secret
We have commenced a programme of work to upgrade some of our older applications with a modern, cloud-based application with Phase 1 completed and a further phase scheduled for 2021
So if it's moved to a modern cloud-based set of applications then there's nothing to worry about cybersecurity then
If you want someone to be compliant with a request you have to say why - because what's necessary obvious to you isn't obvious to the recipient. Even if might be embarrassing to you/the organisation
eg please keep the door to the staff room closed at all times (because otherwise the aircon goes into overdrive and somehow trips the telephone system)
please do not use parking spaces at front of offices which are for visitors only (because if they park round the back they'll see the comfortable "employee relaxation area" mentioned on the website is actually five mismatched picnic chairs and a shredded parasol)
"eg please keep the door to the staff room closed at all times (because otherwise the aircon goes into overdrive and somehow trips the telephone system)"
Sometimes it's not easy to explain, of you apply your example to a school, the teachers don't want the pupils to see them chain smoking, drinking alcohol and scratching their nuts.
Although in this case it seems clear that Fartface
was just trying to protect its reputation in the face of an avoidable failure.
The email signed by CEO Evans says they knew about the breach on 17 January. The Directors Report in their accounts filed at Companies House in February is signed by CEO Evans and dated 2 February! No mention of any breach in that report. Oh dear.......!!!!
Can anything this company says now be trusted? Or should we keep that strictly confidential???
Fatface join the ranks of Easyjey, FireEye, Solarwinds, AWS and sonicwall. All have claimed to have been the victims of "sophisticated" attacks and yet not one single one of them will reveal why the attack was sophisticated instead of the just shitty security. Of course, in the case of solarwinds we know that the breach was anything but sophisticated and yet companies still roll out that trite line along with "we treat your security seriously".
Pisses me off no end.