Careful what you attach to email: How an excel document resulted in 50,000 superannuation fund member records being compromised

Traditionally, investment managers use spreadsheets to manage their data. However, over the past few years, investment managers are more aware of spreadsheet risk and most are keen to reduce their reliance on spreadsheets. When we ask them about spreadsheet risk, most raise the prevalence of errors in spreadsheets.

Many can quote statistics like “94% of spreadsheets have errors” or “98% of people have seen an Excel error cost their employers’ money”. It is these statistics that result in headlines such as “Microsoft’s Excel Might Be The Most Dangerous Software On The Planet”.

The other aspect of spreadsheet risk that investment managers are concerned about is key person risk. But what about the dangers associated with emailing spreadsheets within an organisation. We never hear that one.

Another type of spreadsheet risk

Yes—emailing spreadsheets. Hands up if you have emailed a spreadsheet with sensitive data in the last week? How many of you did that without considering the risks?

In May 2022, an Australian superannuation fund suffered an information security breach resulting from unauthorised access to a mailbox. The fund was a victim of email phishing activity. In that mailbox was an email with a spreadsheet attached containing personal details of about 50,000 members. This data breach was not the result of a material security control weakness or technology failure. It was the result of a staff member’s password being compromised by a malicious email.

Emailing spreadsheets is not what usually comes to mind when we ask risk managers about information and data security risk. The recent incident is not a rare event. Other examples include:

A better way to share investment data

Investment data typically lives in multiple systems across the organisation and it is standard practice to email this data between teams in spreadsheets. As we pointed out in our white paper “Spreadsheet risk: the closing bell?”, spreadsheets are not inherently designed as collaboration tools.

Investment managers are aware of the risk of emailing spreadsheets to and from third parties. Most have secure processes to communicate with custodians and other data providers. However, many still rely on spreadsheets to share data internally.

Moving to an enterprise data management (EDM) platform eliminates the need to share valuable data via spreadsheets and ensures that all business uses a common source of truth.

Read our white paper or talk to us to learn more about how an EDM can reduce your reliance on spreadsheets.

Scroll to Top