back to article Blundering Boeing bod blabbed spreadsheet of 36,000 coworkers' personal details in email

Global aerospace firm Boeing earlier this month sent a notification to Washington State Attorney General Bob Ferguson, as required by law, about a company employee who mistakenly emailed a spreadsheet full of employee personal data to his spouse in November, 2016. The spreadsheet, sent to provide the employee's spouse with a …

  1. Daedalus

    Here we go again

    How does one employee have access to masses of data in that level of detail? It was the same with the various DHSS and NHS blunders: the focus was on losing the CD or whatever with the info, rather than the person having all that info in the first place.

    1. Anonymous Coward
      Stop

      Re: Here we go again

      And why is that employee allowed to download that information into a spreadsheet, even if he has read/write access as a part of his job.

      Seems like bad administrative controls/administration to me.

      1. Martin Gregorie

        Re: Here we go again

        ...and you have to wonder exactly where 'an employee' works in the Boeing corporate structure.

        Who would have access to that type of data outside of HR or the C-suite? But could one of them possibly be so careless? Shirley knot!

        1. Mark 85
          Facepalm

          Re: Here we go again

          I'm sure payroll would have access and possibly some others. Given the nature of large corporations and hole-ridden security, possibly every manager and admin.

      2. Anonymous Coward
        Anonymous Coward

        Re: Here we go again

        And why is that employee allowed to download that information into a spreadsheet, even if he has read/write access as a part of his job.

        Read/write access to the database is usually access controlled quite well, problem is that access is held by essentially transactional employees. As soon as you want any serious data manipulation (eg for cost build, retirement or workforce planning, corporate change programmes) the database and the HR ERP modules don't offer the flexibility to do much, nor do the administrators have the skills to do those less common analytical tasks. So the people with access are asked to run a report, which they do with the due authority and checks, but THEN the data passes on to people who you have to trust to do the right thing.

        If I'm right, that trust hasn't worked, but that doesn't mean that access to the database itself wasn't controlled. A big part of the problem is that email and internet connections are leaky as hell, and most people don't know the risks they're taking. My job has required access to similar sub-sets of employee data - and I hate having that on my PC. All encrypted, and protected by best practice, but essentially the defence against me doing something stupid is me. I could have a PC with no external email or internet access, but there's other parts of my job need both. And even if I can only send the data internally, how does that stop anybody else doing anything daft.

        Not a good scenario, there are a few solutions, but most are fairly draconian, and even they are rarely bullet proof.

        1. P. Lee

          Re: Here we go again

          >there are a few solutions, but most are fairly draconian, and even they are rarely bullet proof.

          What was the error? Hiding data and mixing formatting with data.

          Do not do unexpected things with data processing. If you have the data there, keep it in plain sight. If it shouldn't be in plain sight, don't just pretend it isn't there.

          Keep a canonical list of templates which have no data in them and have reports populate them. If you must import the data to provide a snapshot, don't hide it, put it in a separate sheet and have your formatted report reference the data.

          Of course, if MS could, you know, innovate in security, it could get the mail client to check attachments when they are added and run the "ready to publish?" checks it already has in its own products which pick up on hidden fields and so on.

          Maybe they could add an "attachment" api to windows so that picking up a file will run it through checks based on the file type and system configuration. It always looks a little weird that you "open" a file when you are actually not.

          But hey, people will buy Windows and Office anyway, so why bother spending any money on developing it for security?

          1. tiggity Silver badge

            Re: Here we go again

            Indeed, with data hidden quite possible the sender of the spreadsheet was totally unaware of the vast data leak they were committing.

            Though spreadsheets are generally bad, the more their use gets prevalent the worse things get, as widespread use leads to all sorts of bad practices (not just data leakage but potentially attack vectors, always some high up "powerful" person in an org throwing their weight around & wanting to override sane protocols and run macros)

            1. Anonymous Coward
              IT Angle

              Re: Here we go again

              quite possible the sender of the spreadsheet was totally unaware of the vast data leak they were committing. tiggity

              I think, given the information disclosed, it is potentially worse...

              I suggest the sender wasn't doing anything they would have considered out-of-the-ordinary, ie. in the department they worked in it was normal everyday practice to email sensitive stuff - such as this spreadsheet, around. This take is backed up by the fact that Boeing didn't discover the leak for six weeks.

              What would be interesting to know is how Boeing discovered the leak...

              1. Anonymous Coward
                Anonymous Coward

                Re: Here we go again

                > I suggest the sender wasn't doing anything they would have considered out-of-the-ordinary, ie. in the department they worked in it was normal everyday practice to email sensitive stuff

                The sender thought they'd erased it. Even the security services have been guilty of this error: "redacting" data in a PDF, only to find that the original text is behind black rectangles which can easily be removed.

                It's still very stupid to:

                1. Take a "live" file and clean it out, for use as a template. Many document formats keep a changelog internally. Solution: publish the original templates somewhere.

                2. Have valuable data in hidden fields in a spreadsheet, just so that some formula can look it up. Solution: write a proper application which talks to the database (and the user is authenticated)

    2. This post has been deleted by its author

    3. Adam 52 Silver badge

      Re: Here we go again

      "How does one employee have access to masses of data in that level of detail?"

      A question I repeatedly remind our DBA, Ops and sysadmin teams when they ask for root access to our systems.

      IT are the worst offenders for this sort of thing.

      1. tfewster
        Facepalm

        Re: Here we go again

        IT folk are generally competent and aware of risks, i.e. trustworthy.

        Anyway, if I wanted to access data, I'd use the oracle (OS) or SYS (Database) accounts. The worst thing root can accidentally do is trash a system, so it has to be restored from backups.

        1. Adam 52 Silver badge

          Re: Here we go again

          I think you've just made my point nicely, thank you.

          You don't think that root taking a copy of the data and restoring elsewhere is a risk?

          No chance whatsoever of IT being phished?

          Never, ever been a disgruntled BOFH? Try asking NDA on that one!

          1. Anonymous Coward
            Anonymous Coward

            Re: Here we go again

            Never, ever been a disgruntled BOFH?

            Plenty of times I do however not like porridge.

            IT are generally not the worst for this sort of thing as you put it and actually the least likely to ever be phished (though most likely to be targeted) Of course I have full access to the main databases but not on an account that I use daily and its use is audit logged.

            Having been the IT for all sorts of people and companies you have to get used to having god powers and not abusing them it actually becomes quite easy after a while.

      2. Anonymous Coward
        Anonymous Coward

        Re: Here we go again

        "A question I repeatedly remind our DBA, Ops and sysadmin teams when they ask for root access to our systems."

        Chiefly because we occasionally need root to do our jobs?

        We don't need it all the time, don't need it everywhere and don't (usually) use it unless needed.

        And incidentally, we likely already have access to all the data because, you know, DBA?.

        1. Count Ludwig

          Re: Here we go again

          Nothing personal about my downvote. It's all too common, and I have often been such a dev / DBA claiming I cannot do my job without such access. But these days I feel it's possible, and best practice, to design your set-up so that no such access is required, or only permitted in the presence of someone pointing a gun at you as you type.

        2. Roland6 Silver badge

          Re: Here we go again

          Chiefly because we occasionally need root to do our jobs?

          From my experience, I think the issue being alluded to is the one created by those IT bods who because of their job 'occasional' happens relatively frequently and so to make life easier they upgrade their user account and use root/admin all the time...

    4. Anonymous Coward
      Anonymous Coward

      Re: Here we go again

      Having access isn't the problem, how that access is monitored, controlled and removed if necessary is typically the problem.

      and of course the fact that introducing viruses/malware, losing data etc seems to never, ever lose anyone their job - this is the bane of my working life. I catch people constantly only to see them slapped on the wrist.

    5. anothercynic Silver badge
      Facepalm

      Re: Here we go again

      They likely cleared all the cells, but not the hidden ones...

      And then it all went Pete Tong. But yes, this definitely is a great #FAIL for the Boeing Company.

      *eyeroll* *facepalm*

  2. Stevie

    Bah!

    Wouldn't care to be a salesdrone trying to shift that software afer this own goal.

  3. Winkypop Silver badge
    Devil

    Boeing, Boeing...

    ....gone

  4. Potemkine Silver badge

    Hard to trust...

    ... a company not using the product it sells. This being the best case, the other one is Boeing using their product - but it's crapware.

  5. CIPHER-GUY

    Policy issue, not a Data Access Issue

    This is not a data access issue. Many employees, based on their jobs, need and have legal access to employee information. For their jobs, they routinely download and analyze employee information using spreadsheets as one of their analysis tools.

    The challenge for DLP tools, such as CIPHER, is they have to be installed and setup to scan end user data, in this case, outgoing email. This is a somewhat trivial task for a peron knowledgeable about the DLP, but nonetheless, it has to be performed. For a company the size of Boeing, this would certainly not be done for all employees. It should be done for those individuals that have access to and routinely work with Personally Identifiable Information (PII).

    Why the DLP wasn't installed and used for this user is simply a policy issue. Boeing has to decide whether the inadvertent release of information is more important than the resource and end user commitment to installing and using the DLP application.

  6. el_oscuro

    It's all shitty. Besides the obvious WTF that this employee had all this info, why the fuck is Boeing even selling an IT security product (that they didn't even use), when their business is making aeroplanes? Who thinks of Boeing when evaluating IT security products?

    1. CIPHER-GUY

      The Boeing CIPHER product is one of three DLP's used in the classified area for the past 15 years. If you do not know about it then you do not deal with classified data. The application is used by the Army, the Navy, the Air Force, the White House Military Office and dozens of fortune 500 companies. And people have access to this kind of data as their jobs require it. However, the job certainly does not include emailing it to their spouses - regards

  7. Anonymous Coward
    Anonymous Coward

    Easily done

    I've now managed to get myself to a stage in my organisation where, by a mixture of polite / friendly phonecalls, boxes of chocolates* to the right people as thanks for small favours, and occasional justification, I now have access to more systems and personal data with top level administrator rights than people several grades above me.

    I've done this out of the knowledge that it's quicker if I can do these things myself rather than going up the chain and all the red tape. The catch is I now have huge swathes of data that I can fuck up, not that I would (intentionally).

    However, if they had robust review strategies in place to see who's got access to what and why, I'd be quickly found out. Clearly, they don't.

    Woo!

    * Seriously. This works in so many different ways that I can't believe it actually works. A small request or favour granted, a box of high end chocolates as a thank you, and when you come round with the bigger request, it's done without a blink of an eye. (See: How to Succeed in Business Without Really Trying for other tips and hints)

  8. Ian 55

    Applause

    "sounding rather surprised that a reporter would call her directly on the line included in the breach notification"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like