Home > Identity Theft > It Took Just One Email to Compromise the Leaders of the Free World

Comments 1 Comment

Whether an autofill mishap or a “What in the name of God were you thinking?” move, somebody’s shrimp is on the barbie at Australia’s immigration department after an officer there emailed President Obama’s passport number and other personal information to an organizer at the Asian Cup football tournament. And before you think otherwise: Yeah, it matters.

An Australian freedom of information request recently revealed that the personally identifiable information (PII) of many of the world leaders who attended last year’s G20 summit in Brisbane — including President Obama, Russian President Vladimir Putin, German Chancellor Angela Merkel, China’s President Xi Jinping, India’s Prime Minister Narendra Modi, Japan’s Prime Minister Shinzo Abe and UK Prime Minister David Cameron — was accidentally leaked by a government employee. Worse, there was an attempt to sweep this mess under the rug.

The freedom of information request revealed that an immigration official notified Australia’s privacy commissioner about the walkabout presidential/prime ministerial PII shortly after the misdirected email was received by its startled recipient.

“The personal information which has been breached,” an email notifying the privacy commissioner stated, “is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (i.e., prime ministers, presidents and their equivalents) attending the G20 leaders summit.”

“The cause of the breach was human error. [Redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person’s details into the email ‘To’ field. This led to the email being sent to the wrong person.

“The matter was brought to my attention directly by [redacted] immediately after receiving an email from [the recipient] informing them that they had sent the email to the wrong person.

“The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach.”

The decision not to inform any of the world leaders was based on the fact that the recipient of the wayward email had deleted it from their computer and then deleted the deleted email from the “deleted items” folder.

The Inevitable Weak Link

Unlike code, with its right/wrong, open/closed approach to data, humans make a lot of mistakes. Sometimes those mistakes have catastrophic results. The Target breach is a good example of this. The retailing icon didn’t properly segment data, and someone at a heating and air conditioning company with a Target contract, and unknowing access to far more systems than anyone could have imagined, clicked on a phishing link in a fraudulent email that ultimately allowed hackers to access its point-of-sale systems — in other words, human error. Subsequently, multiple warnings from Target’s own security protocols — indicating the presence of malware — were overridden by someone(s), also human error.

In the G20 instance, the damage was most likely not great — at least to the world leaders in question. That said, Steve Wilson, a principal analyst focusing on digital identity and privacy at Constellation Research told the Guardian, “What I’d be worried about is whether that level of detail could be used to index those people in different databases to find out more things about them.”

Wilson went on to hypothesize: “If you had access to other commercial data sources you could probably start to unpack their travel details, and that would be a security risk.”

Now comes the unavoidable question: When it involves the protection of a president or prime minister, is “most likely safe” an acceptable standard? For a government employee to send out such internationally sensitive information in an email and for a privacy commissioner to decide not to notify anyone that the breach had occurred needs to get tagged as “human error” as well. (If anyone should know better, one would assume it might be the “privacy” commissioner, yes?) One of the more crucial protocols in a data compromise is transparency, at least with respect to those who have been exposed. If you’re not aware of the fact that you are in harm’s way, how can you possibly protect yourself?

You may remember the scene in the 2006 remake of the Pink Panther where Clouseau, played by Steve Martin, gets his hand stuck inside a vase. He asks the casino owner if the item is valuable, and is told that it’s a worthless imitation. Mindful of that information, Clouseau slams the vase on a desk to free his hand, breaking both in the process.

“But that desk,” the casino owner says, “was priceless.”

So now anyone wanting to get their hands on that PII knows where it isn’t, but they also have some clues as to how to piece it together, and where it might be. (Of course, no hacker has ever raised deleted files from the dead.) They also now know that Australia has porous defenses, even if their vulnerabilities exist only at the level of a human resources failure to properly train employees on data security best practices. But then there’s the question of the privacy commissioner’s handling of the situation, which none of this explains. Sigh…

The leak of PII belonging to world leaders is an extremely serious matter. For years many have warned that any system is only as secure as its weakest link … and that humans are almost always the weakest link. So the beat goes on.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on Identity Theft:

Image: Hemera

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

  • jeff

    great article

Certain credit cards and other financial products mentioned in this and other articles on Credit.com News & Advice may also be offered through Credit.com product pages, and Credit.com will be compensated if our users apply for and ultimately sign up for any of these cards or products. However, this relationship does not result in any preferential editorial treatment.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Our Owners

Credit.com is owned by Progrexion Holdings Inc. which is the owner and administrator of a number of business related to credit and credit repair, including CreditRepair.com, and eFolks. In addition, Progrexion also provides services to Lexington Law Firm as a third party provider. Despite being owned by Progrexion, it is not the role of the Credit.com editorial team to advocate the use of the company’s other services. In articles, reporters may mention credit repair as an option, for example, but we’ll also be sure to note the various alternatives to that service. Furthermore, you may see ads for credit repair services on Credit.com, but the editorial team isn’t responsible for the creation or implementation of those ads, anymore than reporters for the New York Times or Washington Post are responsible for the ads on their sites.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team