CityCycle -- Australia, Brisbane's shared bicycle program -- was involved in a slight data breach. I'm not sure I would recommend data encryption in this particular case, although it certainly would have prevented the breach from happening.
Due to human error, all subscribers to CityCycle were able to see each other's e-mail addresses. It sounds like a city employee forgot to use the "bcc:" field, and instead either used the "to:" field or the "cc:" field to contact subscribers. As a result, we know now that there are 1,306 active participants in Brisbane's public bike system. I've never been to Brisbane, but that sounds like a small number (Wikipedia's entry states that the total population of the city is a little over 2 million). You could say that the incident is the breach of an e-mail database of sorts. This isn't much of a breach, though, is it? I mean, I can imagine how this could be problematic if it were an e-mail list of bank customers or hospital patients. But public bikes? Of course, one could use the list to create a targeted phishing scam, but with only 1,306 people it really wouldn't be in the phisher's interest. I've heard successful conversion rates are at about 10%.
Due to human error, all subscribers to CityCycle were able to see each other's e-mail addresses. It sounds like a city employee forgot to use the "bcc:" field, and instead either used the "to:" field or the "cc:" field to contact subscribers.
As a result, we know now that there are 1,306 active participants in Brisbane's public bike system. I've never been to Brisbane, but that sounds like a small number (Wikipedia's entry states that the total population of the city is a little over 2 million). You could say that the incident is the breach of an e-mail database of sorts.
This isn't much of a breach, though, is it? I mean, I can imagine how this could be problematic if it were an e-mail list of bank customers or hospital patients. But public bikes?
Of course, one could use the list to create a targeted phishing scam, but with only 1,306 people it really wouldn't be in the phisher's interest. I've heard successful conversion rates are at about 10%.
Like I noted previously, using encryption would have been too much in this case. It'd be like decrypting a message from Wal-Mart to find if they're offering broccoli specials, just for today. The city's bicycle program should look into creating an email address group. This way, instead of loading each individual e-mail into the "to:" field, a person can type something along the lines of "city.cycle.subscribers" and never have to deal with accidentally showing a subscriber's e-mail address. Encryption may be tops for data security, but if you're looking to be efficient, you should know when not to use it as well.
Like I noted previously, using encryption would have been too much in this case. It'd be like decrypting a message from Wal-Mart to find if they're offering broccoli specials, just for today.
The city's bicycle program should look into creating an email address group. This way, instead of loading each individual e-mail into the "to:" field, a person can type something along the lines of "city.cycle.subscribers" and never have to deal with accidentally showing a subscriber's e-mail address.
Encryption may be tops for data security, but if you're looking to be efficient, you should know when not to use it as well.
Related Articles and Sites:http://www.brisbanetimes.com.au/queensland/citycycle-in-privacy-breach-20110204-1agqb.html