Some Yahoo! employees exposed through mistaken email
Technorati Tag: Security Breach
Date Reported:
11/30/07
Organization:
Yahoo! Corporation
Contractor/Consultant/Branch:
Fidelity Investments
Victims:
Persons participating in the Yahoo! employee stock purchase plan
Number Affected:
Unknown
Types of Data:
First name, last name, Social Security number and Yahoo! employee ID number.
Breach Description:
On November 12th, 2007 Fidelity Investments inadvertently emailed a file containing personal information pertaining to Yahoo! employee stock purchase plan participants to the wrong company.
Reference URL:
The State of New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire State Attorney
Response:
From the State of New Hampshire official breach notification and letter sent to victims:
Fidelity Investments on behalf of Yahoo Corporation is reporting an incident involving the brief, inadvertent disclosure by Fidelity of some information relating to Yahoo employees.
[Evan] I am uncomfortable with the word "brief" when referring to a disclosure. Disclosed information is always disclosed, but I understand what Fidelity means in this context. You can't un-disclose information.
We are writing to notify you of a recent issue that involved some personal information about you maintained by Fidelity Stock Plan Services (Fidelity SPS), the administrative service provider and recordkeeper of Yahoo!'s employee stock purchase plan.
Fidelity inadvertently disclosed by e-mail a file containing personal information to two stock plan administrators at another Fidelity Investments client.
[Evan] The notice does not inform the reader whether or not emails containing sensitive information are encrypted.
The e-mail contained names, Social Security numbers, and employee stock plan purchase information.
The incident occurred on November 12 and a determination that there had been inadvertent disclosure on November 14.
The individual who received the file, briefly viewed it and then sent it to another authorized plan administrator at the same company who never opened the email of viewed the file.
[Evan] I wonder why the first administrator thought to send it on to another.
The company quickly notified Fidelity SPS of this matter.
The inadvertent recipients have deleted the e-mail and have confirmed that the file has been deleted and that the information has not been copied, printed, or downloaded.
Both plan administrators signed and delivered to Fidelity SPS a statement, confirming the facts described above and promising to maintain the confidentiality of any information that may have been viewed.
[Evan] I'm not sure what else can be done after the fact.
At this time, we are not aware of any misuse of this information. Based on our review of the circumstances and the limited nature of the disclosure, we do not believe there is a significant risk of misuse of this information resulting from this disclosure.
Fidelity Investments has taken steps to further strengthen our controls to help prevent this from recurring.
Fidelity Investments is notifying potentially affected Yahoo employees, by e0mail on November 29 and by U.S. mail on November 30.
We deeply regret any inconvenience or concern this may have caused. if you have any questions about this matter, please feel free to call a Fidelity Stock Plan Services Representative at . We are available from Sunday at 5:00 p.m. ET through Friday midnight ET.
Although this was Fidelity SPS's error, we at Yahoo! want to ensure that any questions or concerns you have about this event are being adequately addressed. If Fidelity SPS's representatives have not adequately addressed your concerns, please let us know by emailing
Commentary:
It sounds like this is a human error. Information security breaches resulting from human error are one of the most (if not the most) challenging to protect against. Us humans often have other things on our mind. It appears as though Fidelity responded well to the incident, and I agree with their risk assessment (on this incident).
I do not know their internal procedures for sending this information so it is difficult to comment on. A couple of questions that I don't feel comfortable about are
People who don't know, need to understand that standard email is "clear-text" communication. Anyone from you to the recipient can intercept and read the contents of the email.
To demonstrate, let's say that I am sending my online bank password to my wife via email, to her Google email account, Gmail (a no-no, but a demo nonetheless). My network administrator, my email administrator, various engineers at our internet service provider (ISP), various engineers at other internet service providers between my ISP and Google, various engineers at Google, various other engineers between Google and my wife's ISP, and various engineers at my wife's ISP could all intercept the message and read the contents. I am not going to say that this happens or has happened, but the very real risk exists. There are many other secure alternatives, one of which is encrypted email.
Past Breaches:
Unknown at Fidelity Investments or Yahoo!
Muliple for other Fidelity organizations.
A voip company should be able to cater to each customers personal preferences, tweaking the voip software where the client wishes too, etc. Since internet phone is a facility everyone is using or going to use, it should be available in different deals. There is the more common skype phone which is using voip comparison, then there is the vonage. Usually a voip client is aware enough to choose what suits him.
Date Reported:11/30/07
Organization:
Yahoo! Corporation
Contractor/Consultant/Branch:
Fidelity Investments
Victims:
Persons participating in the Yahoo! employee stock purchase plan
Number Affected:
Unknown
Types of Data:
First name, last name, Social Security number and Yahoo! employee ID number.
Breach Description:
On November 12th, 2007 Fidelity Investments inadvertently emailed a file containing personal information pertaining to Yahoo! employee stock purchase plan participants to the wrong company.
Reference URL:
The State of New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire State Attorney
Response:
From the State of New Hampshire official breach notification and letter sent to victims:
Fidelity Investments on behalf of Yahoo Corporation is reporting an incident involving the brief, inadvertent disclosure by Fidelity of some information relating to Yahoo employees.
[Evan] I am uncomfortable with the word "brief" when referring to a disclosure. Disclosed information is always disclosed, but I understand what Fidelity means in this context. You can't un-disclose information.
We are writing to notify you of a recent issue that involved some personal information about you maintained by Fidelity Stock Plan Services (Fidelity SPS), the administrative service provider and recordkeeper of Yahoo!'s employee stock purchase plan.
Fidelity inadvertently disclosed by e-mail a file containing personal information to two stock plan administrators at another Fidelity Investments client.
[Evan] The notice does not inform the reader whether or not emails containing sensitive information are encrypted.
The e-mail contained names, Social Security numbers, and employee stock plan purchase information.
The incident occurred on November 12 and a determination that there had been inadvertent disclosure on November 14.
The individual who received the file, briefly viewed it and then sent it to another authorized plan administrator at the same company who never opened the email of viewed the file.
[Evan] I wonder why the first administrator thought to send it on to another.
The company quickly notified Fidelity SPS of this matter.
The inadvertent recipients have deleted the e-mail and have confirmed that the file has been deleted and that the information has not been copied, printed, or downloaded.
Both plan administrators signed and delivered to Fidelity SPS a statement, confirming the facts described above and promising to maintain the confidentiality of any information that may have been viewed.
[Evan] I'm not sure what else can be done after the fact.
At this time, we are not aware of any misuse of this information. Based on our review of the circumstances and the limited nature of the disclosure, we do not believe there is a significant risk of misuse of this information resulting from this disclosure.
Fidelity Investments has taken steps to further strengthen our controls to help prevent this from recurring.
Fidelity Investments is notifying potentially affected Yahoo employees, by e0mail on November 29 and by U.S. mail on November 30.
We deeply regret any inconvenience or concern this may have caused. if you have any questions about this matter, please feel free to call a Fidelity Stock Plan Services Representative at . We are available from Sunday at 5:00 p.m. ET through Friday midnight ET.
Although this was Fidelity SPS's error, we at Yahoo! want to ensure that any questions or concerns you have about this event are being adequately addressed. If Fidelity SPS's representatives have not adequately addressed your concerns, please let us know by emailing
Commentary:
It sounds like this is a human error. Information security breaches resulting from human error are one of the most (if not the most) challenging to protect against. Us humans often have other things on our mind. It appears as though Fidelity responded well to the incident, and I agree with their risk assessment (on this incident).
I do not know their internal procedures for sending this information so it is difficult to comment on. A couple of questions that I don't feel comfortable about are
- Do Social Security numbers really need to be in the files that are sent to plan administrators?
- If so, are they sent through normal email channels?
People who don't know, need to understand that standard email is "clear-text" communication. Anyone from you to the recipient can intercept and read the contents of the email.
To demonstrate, let's say that I am sending my online bank password to my wife via email, to her Google email account, Gmail (a no-no, but a demo nonetheless). My network administrator, my email administrator, various engineers at our internet service provider (ISP), various engineers at other internet service providers between my ISP and Google, various engineers at Google, various other engineers between Google and my wife's ISP, and various engineers at my wife's ISP could all intercept the message and read the contents. I am not going to say that this happens or has happened, but the very real risk exists. There are many other secure alternatives, one of which is encrypted email.
Past Breaches:
Unknown at Fidelity Investments or Yahoo!
Muliple for other Fidelity organizations.
A voip company should be able to cater to each customers personal preferences, tweaking the voip software where the client wishes too, etc. Since internet phone is a facility everyone is using or going to use, it should be available in different deals. There is the more common skype phone which is using voip comparison, then there is the vonage. Usually a voip client is aware enough to choose what suits him.
Posted by Evan Francen at 12/12/2007 1:56 PM 
Categories: Fidelity Investments, Yahoo!, Employee Mistake
Categories: Fidelity Investments, Yahoo!, Employee Mistake
Posts Atom 1.0
Comments