• United States



Web-Based E-mail Accounts Can Lead to Embarrassing Security Breaches

Nov 16, 20072 mins
CareersData and Information SecurityIT Leadership

No doubt you have read about the plight of MediaDefender, Inc., a company specializing in assisting movie studios and recording companies in preventing illegal copying of their copyrighted materials online. In particular, MediaDefender sets up sting and other operations to catch illegal content on peer-to-peer networks. To be effective, their activities must be strictly confidential.   Whether you agree with MediaDefender’s business objectives or not, what happened to them should send a collective chill up the spines of security personnel everywhere.

It seems an employee of MediaDefender forwarded highly sensitive corporate e-mail to his Google e-mail account. A group that opposes MediaDefender’s activities hacked the Gmail account (most likely because of an easily guessed password on the account) and made nearly 6,000 of MediaDefender’s e-mail available to the public. Amusingly enough, the e-mail were uploaded to the very type of peer-to-peer networks MediaDefender was trying to police. Early reports indicate the disclosed e-mail revealed extraordinarily sensitive information of the company.

This latest, and highly publicized, instance in which a Web-based e-mail account has resulted in a significant compromise of corporate security should serve as a reminder to have clear policies with employees regarding the forwarding of business e-mail to Gmail and other types of personal accounts. Given the widespread use of approved remote access software to corporate servers, Blackberries, and other means of easily accessing business e-mail through secure means, there should be no need for workers to forward business e-mail to personal accounts, particularly Web-based accounts.  


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author