Check out this great post by Dave Lewis over at CSO who reports on one of those face-palm realizations that many folks are having today. Adult Friend Finder is a social hookup site that fell victim to a breach with all kinds of data on its members now disclosed to the public. Why is that a big deal? Because an alarming number of users on that site signed up for the service using their corporate email accounts.
HR nightmare aside, there is a ton of really great information now available to an attacker. If you use the service, you may have your own issues with your intimate details and preferences being publicly available. As a corporate CISO, you need to be sure that any data now available about these accounts does not lead to a social engineering attack (perhaps, via spear-phishing) that leads to a breach.
There are two major actions for any CISO and HR department to add to their plans for 2015-16. First, a corporate-wide message to all employees that remind them of the acceptable uses of their corporate email accounts. Potentially also reminding them that the corporate email is the property of the company, as well as (potentially) its contents. And since they are using the corporate system, they consent to periodic review and inspection of that content.
Second, it might be time to work on some content filtering on your email servers. Nobody looks forward to subpoenas related to email—especially when they are not work-related. Just like there are websites you do not allow your employees to visit at work, there should be domains to which users cannot send or receive email. HR gets involved when these systems detect emails that come through with illicit content.
Ultimately, any breach has the ability to cause collateral damage in your company. Don’t disregard it just because it isn’t your system.