Learning from the AstraZeneca email blunder

Leo King's article in ComputerWorld, "AstraZeneca in confidential email blunder," discusses a relatively common thing that happens -- someone sends information they didn't intend to in an email. In this instance, AstraZeneca had to restate their...

Share

Leo King's article in ComputerWorld, "AstraZeneca in confidential email blunder," discusses a relatively common thing that happens -- someone sends information they didn't intend to in an email. In this instance, AstraZeneca had to restate their earnings because the email included an Excel file that had confidential data in it.

We don't know all the details, apparently one analyst told AstraZeneca about the mistake and AstraZeneca sent out a request to delete the message. Perhaps entertainingly, it appears that the confidential information indicates they're doing better than expected.

Nonetheless, as a security expert, I have some advice:

  • Don't send the actual spreadsheet, or word processing document, or whatever. Send a PDF. This is a good habit to get into. Since PDF is a display format rather than an editing format, you'll look at it yourself, which helps see if you need to get rid of things. Also, PDF doesn't include the editing history. Other inadvertent leaks have been through the edit changes. Try this yourself -- the next time someone sends you a Word file or Excel spreadsheet, hit undo. See what happens. Usually it's nothing, but you'll see that there are past edits in the document. It's good for your workflow to send display versions.
  • If you do send out something you shouldn't have, don't ask people to delete it. Many of the people who were sent that document were too busy to read it. Others just skimmed it and only looked at what they were expecting. If you tell people that you've accidentally sent them something confidential, they'll go right over and look at it. It's human nature to look at a secret you shouldn't have gotten. I would. You would. Look straight ahead and carry on. Don't call attention to the blunder.
  • Don't believe those stupid email disclaimers. You've seen the footers that say that if you're not the proper recipient of the email then you should delete the message and then go wash your hands. Maybe even you use one. They have next to no authority; they merely waste disk space. In nearly every jurisdiction, in nearly every conceivable case, if I send something to you, that's my problem, not yours. Another tip about human nature is that if you want someone to do you a favour, don't threaten them.
  • In many instances, the person who received the confidential information can't help you. In regulated industries, in publicly traded companies, they can't just look the other way. This is part of why hoping they don't notice and above all be nice is the proper course.

Above all, be careful. Double-check everything. Most of us have sent something embarrassing at some point, so you're not alone. But perhaps these tips can help getting into the problem in the first place.

Jon Callas is a renowned information security expert and CTO of Entrust. Jon previously co-founded and was CTO for PGP Corporation, as well as a stint as Security Privateer for Apple. His work in security policy supported the end of US cryptography export restrictions and help secure the modern Internet.