A US bank has had a Gmail user’s account closed down, simply because the bank accidentally sent private data to it. Cloud services expose us to the consequences of others’ stupidity, says Jim Rapoza
[Editor’s note: I’ve just chaired an online session on cloud compliance. Surprisingly, we decided that security and compliance issues faced by the cloud are just variations on what crops up with in-house IT – but regulations are likely to be more of an issue than basic security.
Surprisingly though, there are still unexpected issues with cloud services. I’ll say more on my session tomorrow – thought it’s still available online if you want to listen now, For now, I’ll hand over to Jim Rapoza to tell us a particularly surprising story…. Peter Judge]
Oh, well—just another day in the technology grind. I think I’ll fire up my Gmail account to see if I have any important e-mails in there.
One thing I’m pretty sure about is that there will be more spam and phishing e-mails. Gmail was pretty good about catching these things, but lately I’ve been getting “urgent” e-mails from some bank in Wyoming. Since I don’t have anything to do with any banks in Wyoming, I’m very sure that these e-mails are just some form of spam or possibly dangerous phishing attempts.
Everyone who knows anything about Internet security knows that it’s very common for bad guys to send out e-mails disguised as messages from banks, hoping some sucker will follow through and provide the account number and password for his or her online banking account.
But I’m too smart for that. In fact, these fake e-mails from this “bank” in “Wyoming” have been so persistent that I think I’ll set up a filter to block them entirely.
Hmm.Today, something seems to be wrong with Gmail. All I can see is this message from Google that says, “Per court order in a case brought by a Wyoming-based bank, your Gmail account has been disabled and your account information provided to the bank.” What the …?
Sound unlikely? Guess again.
While the above scenario didn’t actually happen to me, it is happening right now to a Gmail user whose only crime was to receive an e-mail accidentally sent to his or her (the identity of the account holder has not been revealed) address by the Rocky Mountain Bank of Wyoming.
Why did a court allow this?
In a story that is being reported on by multiple news sources, it appears that someone at the Rocky Mountain Bank sent an e-mail, with an attachment containing sensitive information on more than 1,300 customers.
The bank employee should not have sent this attachment at all. But to make matter much worse, it was sent to the wrong Gmail e-mail address.
I won’t get started on how it was even possible for someone from a bank to do this in the first place, because from here, it gets worse.
After the error was discovered, the bank – concerned about its attachment – sent subsequent messages to the same Gmail address and contacted Google to get the account holder’s personal information.
Google has a policy (and a good one, in my opinion) that it won’t divulge account information to third parties without a court order. But the bank decided to go further than just seeking a court order for the account information — it also asked the court to force Google to deactivate this random and, most likely, completely innocent person’s Gmail account.
And that’s just what the court did.
Cloud users at risk from others’ stupidity
Now, it seems, we can lose access to our e-mails and — most likely — our Google Apps, calendar, chat and Wave applications, as well as our Google AdSense accounts, and all for simply avoiding the kinds of e-mails that pretty much everyone would assume were spam. For any of the small companies and independent consultants who have moved their entire business to Google’s clouds, this could mean being shut down completely until the whole mess got sorted out.
Talk about the risks of moving your business to the cloud! This is one of the scariest, most nuclear outcomes I can think of for anyone who uses cloud-based services heavily.
One has to wonder what the involved parties were thinking here.
Clearly, this bank isn’t that tech-savvy. I guess the bank asked for the Gmail account to be shut down to prevent the sensitive data inadvertently sent to it from being spread. But if the account holder was inclined to do this, shutting the account down wouldn’t stop the person. He or she could spread the data using another e-mail account, and, if Gmail offline or a POP or IMAP client was used, the account holder would still have access to the data.
The judge is even more of a mystery. One would expect that a northern California-based judge would be at least a bit tech-savvy, but apparently this judge has never seen spam or phishing e-mails in his in-box.
It will be interesting to see how this turns out. Maybe the person involved really did try to use the data in a criminal way. But most likely he or she had no clue what was going on until Google gave him the bad news.
And for the rest of us, this is just one more reason why a totally cloud-based solution might not be the silver bullet that many think it is.
Chief Technology Analyst Jim Rapoza can be reached at firstname.lastname@example.org.