4

I am a minor recently employed by a retail company, in the same batch as 10* other new recruits. I have not yet had the first day, however our manager has sent us all a warm welcoming email.

The manager included everyone's emails in the CC box. That is, I (and the other 10* recruits) could see each other's personal emails:

  • johnsmith@gmail.com
  • janedoe@hotmail.com

And the like. We have not met eachother in person yet.

I thought this posed a security risk - but I couldn't say why. I was definitely not happy with the thought of my personal email being given to 10 strangers.

Does it create security problems? Or is it just me worried about privacy?

*Not really 10, but 10 is a nice round number that approximates the true quantity reasonably well.

Moe
  • 43
  • 2
  • 2
    Well if the company is based in the UK, he has just violated the Data Protection Act and you can report him to the Information Commissioners Office. The company is liable to an unlimited fine. Other EU countries have similar arrangements. – Chenmunka Nov 09 '17 at 09:31
  • 5
    @Chenmunka Seriously, has anyone ever been fined at all for sending an email to ten employees without using the BCC field? That sounds like an overreaction of epic proportions to me. – Anders Nov 09 '17 at 09:40
  • @Anders: I personally have fired managers that have done it. – Chenmunka Nov 09 '17 at 10:04
  • 6
    @Chenmunka If this was the only reason why you haved fired several managers then you are not a great manager yourself. – Tom K. Nov 09 '17 at 14:48
  • 3
    @Tom Agreed, this is why people think Security Administrators are jerks, and why people are afraid to come to their SA when stuff goes wrong. Educate, (Re)-Train, Incentivize. Firing people is a last resort if they're completely unwilling to learn or change. – Monica Apologists Get Out Nov 09 '17 at 15:43

3 Answers3

5

There are some downsides to having your email spread to strangers:

  • The more spread your email is, the more likely you are to get spam, phishing emails, emails containing malware, etc. If anyone of those 10 people get infected by a virus, your email address will be in their contact list. (Recieving such emails does not automatically mean that you will get infected, though.)
  • It can be used to research more information about you. One could Google it and see what comes up. Or try it on different sites vulnerable to user enumeration to see if you are registered there.

But these really aren't any biggies. And to be honest, your email is probably spread far and wide already in all sorts of places beyond your control. I wouldn't worry about a couple of handfuls of future collegues getting it as well. The behaviour of your employer is both reasonable and expected, and not something I would make a fuss about.

If you still feel the need to limit the spread of your email I suggest you use multiple accounts for different purposes. E.g. you could have one email that you use for sensitive business (e.g. account recovery), and another that you hand out to people you would not trust keeping it confidential.

Anders
  • 64,406
  • 24
  • 178
  • 215
1

Whether email addresses are viewed as private information and how that has to be handled depend on where you live.

The risks with a small number of people in an employer environment are low but do exist. Of note are increased risk of Spam, Targeted attacks on your credentials (make sure not to have an easy to work out password) and abusive messages.

I would suggest you make sure the manager is aware of the BCC field and politely suggest it is used in future. If you are still concerned then check data protection laws in your locality and consider a complaint to the company / appropriate regulator.

*Since you have mentioned gmail if you use this platform you should know if you add a + to the address anything after it is ignored. I.e. "hector+stackexchange@gmail.com" would still reach hector@gmail.com. This means you can do things like give employers "hector+retailcompany@gmail.com" and set up a filter in your inbox so these all go to the same folder. Then when you get spam or phishing emails they are immediately obvious (i.e. why would a competition win email go to an address you only gave your employer) and you know who was responsible for your email address being leaked.

Hector
  • 10,893
  • 3
  • 41
  • 44
  • 2
    This is slightly off topic, but I would not bother taking this up with the manager. Not the kind of impression you want to give when you are new on the job. Also, I would be surprised if there is any jurisdiction where this would be grounds for complaints. – Anders Nov 09 '17 at 09:28
  • 1
    @Anders - In the UK email addresses count as personally identifying data and come under the DPA. If you kicked up a big enough fuss and the company did nothing to address the issue (like change policy) you would likely have a case. I would suspect this applies EU wide. All I suggested is a polite "could you use BCC if using my email again". I agree anything more is unlikely to go down well and is probably not advisable but that is OPs call. – Hector Nov 09 '17 at 09:33
0

TL;DR:

Don't worry too much. There are lot of ways to either get your mail address directly and there are also a lot of ways so that your address can get stuck on some spam mail list. This is nothing special. Use a strong password and everything will (probably) be fine.

Anders' answer is perfectly fine, because it shows what a hacker can do with one address. I just want to give some example of how emails can be found and spread today. When you see, how easy it is for perpetrators to get to an email, you will probably discard your worries.

There are two scenarios. Either you want a big ol' list of addresses, let's say 100,000 to send out spam, advertisement or w/ever. Or you want one specific e-mail, let's say yours.

Scenario 1: Big ol' list

Here are some ways to get a loooot of valid mail addresses.

  1. Google
  2. DIY
  3. Compromise accounts.

Google

Just try googling "list of valid mail address". You will find tons of lists, with 10 to 100,000 entries. Most of them probably won't be valid, but I'd say half of them are. I don't for what kind of ratio someone might be looking for who sends out spam, but I guess that wouldn't be ideal.
So let's google for something else, how about "ashley madison email list". The first site you hit, gives a step-by-step instruction on how to download the complete list of 30+ million mail addresses. A lot of them are fake, deleted and won't work anymore. But just change "ashley madison" in the search query with any service name that a major breacht in the last 2 years. I guess most of the mails will still be active there.

DIY

Don't trust other people's lists? Make your own!
You start with two lists. The first lists has the 100/500/1000 most common first names and the second one - you guessed it - the 100/500/1000 most common last names for the country of your choosing. Combine each entry in both lists with another in this way and add the domain of the 5-10 biggest mail providers at the end. Now you will have a list with (100/500/1000)^2*5 entries of "fName.lName@mailprovider.xxx". I guess 95% of these will fail but you did it yourself!

With all the mails that failed, you can then start to add random numbers at the end and stuff like that, but that probably goes too far.

Compromise accounts

Each mail account has an address book or a contact list. A lot of mail accounts are compromised everyday. You probably heard of the big breach at yahoo, where 3 billion(!) accounts were compromised. If only a third of these accounts had 10 contacts in their address book (probably with more than just an mail address. We're talking full name, date of birth, address.) and you would be somehow able to compile a list of all these contacts in all these contacts list, you would have a list with 10 billion addresses. There would obviously be a lot of duplicates, but 10 contacts for a third of the accounts is a pretty small number.

So you see, compiling a big list with a lot of valid addresses is rather easy. Your and my mail address is probably in such a list right now.

So what if someone wants to get your specific private mail address?

There are several ways for attackers to get to your mail address. This can include social engineering, hacking mail accounts of your contacts (to get to their contact info) and also a lot of guesswork. Sometimes web services display addresses of users, so if I know a service like this, I can try to look you up. Also googling is a pretty good way most of the times if an attacker knows either your real name or an online handle you regularly use. A lot of people publish their address on sites of sports clubs or fan sites. These are all pretty well known ways, there are more, but if I reeeeaaaaally (for whatever reason) want to get your address and you have used it sometime in the past, I could probably get it somehow.

The question is though: is somebody out there, who whants your email this badly? I guess, and I hope for your sake, that this is not the case.

Is this a privacy issue?

First of all, if YOU don't want anybody to get your email address, don't give it to people. People share all kinds of stuff unasked that touches your privacy: phone numbers, photos, videos etc. Additionally most people - especially in a professional environment - don't see sharing of contact information as a privacy violation. I personally - and I guess most people on this SE - have several mail addresses. One for work, one for web services of some kind and one for another.. you get the point. If you want to keep something private, don't share it with people.

Everything changes, when you live under a suppressive regime or have some other reason, to really worry about your privacy. Then especially look into "is this a privacy issue".

Tom K.
  • 7,913
  • 3
  • 30
  • 53