Web-Based E-mail Accounts Can Lead to Embarrassing Security Breaches

No doubt you have read about the plight of MediaDefender, Inc., a company specializing in assisting movie studios and recording companies in preventing illegal copying of their copyrighted materials online. In particular, MediaDefender sets up sting and other operations to catch illegal content on peer-to-peer networks. To be effective, their activities must be strictly confidential.   Whether you agree with MediaDefender’s business objectives or not, what happened to them should send a collective chill up the spines of security personnel everywhere.

It seems an employee of MediaDefender forwarded highly sensitive corporate e-mail to his Google e-mail account. A group that opposes MediaDefender’s activities hacked the Gmail account (most likely because of an easily guessed password on the account) and made nearly 6,000 of MediaDefender’s e-mail available to the public. Amusingly enough, the e-mail were uploaded to the very type of peer-to-peer networks MediaDefender was trying to police. Early reports indicate the disclosed e-mail revealed extraordinarily sensitive information of the company.

This latest, and highly publicized, instance in which a Web-based e-mail account has resulted in a significant compromise of corporate security should serve as a reminder to have clear policies with employees regarding the forwarding of business e-mail to Gmail and other types of personal accounts. Given the widespread use of approved remote access software to corporate servers, Blackberries, and other means of easily accessing business e-mail through secure means, there should be no need for workers to forward business e-mail to personal accounts, particularly Web-based accounts.