Not too long ago, attrition.org's errata group received a curious email:
From: Frances REDACTEDTo: errata@attrition.org Cc: REDACTED@comcast.net Date: Sat, 20 May 2006 16:53:38 -0400 Subject: personal information to be blocked FRANCES S LASTNAME ######### ADDRESS CITY FL #####
For some reason, "Frances" emailed attrition her full name, Social Security number, and home address with an apparent request in the subject of the email of "personal information to be blocked".
How ironic is that?
In most cases, we would have disregarded and deleted her email as either spam or a crank. However, this particular situation bothers me for many reasons. One, judging from the content of the email, "Frances" was apparently looking for some type of assistance. While it definitely isn't the type of "help" attrition.org can provide, for some reason, she reached out to have her "personal information" blocked from someone or something. Two, she did so in a fashion that a) was absolutely not technologically secure, and b) sent to people who have no reason to have access to her personal information. Three, even though I redacted "Frances"'s personal information in the email above, what she sent allowed me to make a few deductions, however flawed they may be:
1. "Frances" is probably not in your 21-45 crowd. Judging from the city and state listed in her home address, coupled with her first name, "Frances" may very well be a retiree. (P.S. - happy birthday, Mom!)
2. From the (redacted) Social Security number listed, "Frances" received her Social Security card in the state of Maryland, not Florida, which also suggests that she is not a Florida native and may be a retiree.
3. In a not-so-large stretch of the imagination, "Frances" may be unaware of threats and risks surrounding personal data theft or data loss.
Side note:
Some companies monitor outbound email for personal information being sent through unencrypted email. Emails containing Social Security numbers, account numbers and credit card numbers may be manually reviewed before the email can be released. However, there could be issues with a process such as this.
Problem: Social Security numbers are nine digits. Any idea how many nine digit numbers there are in the world that also get quarantined by filters?
1. Nine digit zip codes
2. Microsoft Outlook meeting request message IDs
3. CUSIPs (financial product identifier codes)
4. Legal writing reference numbers
5. Spam bounces or NDRs from spam
Makes for a long day when a group of people keep revising the same spreadsheet that contains nine digit zip codes for vendors and resending through email, wouldn't it?
End side note
So why would "Frances" send her name, Social Security number, and address out not only through unsecured email, but also to someone or some group she doesn't even know? Did she think attrition.org was some type of "do-not-call" registry for personal information? Did she think we have some mystical power over data breaches or that we had her own information stored on our system? Was she just plain confused or uninformed? Perhaps she thought it was for her own benefit, but I would hope that most of us can see the risk "Frances" accepted by sending her email. The part that bothers me is that "Frances" may have also sent her information to other email addresses that would try to take advantage of not only her personal information but lack of awareness of data loss and data theft issues.
So the question is: do people really care about their own personal information? If so, do they understand or even think about the risks they take when communicating their information to others? Not just online, but in all situations? Am I asking too many questions?
I'm just glad "Frances" isn't my mom (happy birthday again, mom)...