Skip to main content

Careful what you attach to email: How an excel document resulted in 50,000 superannuation fund member records being compromised

 

After traditionally using spreadsheets to manage data, investment managers are now becoming increasingly aware of the associated risks, often looking to reduce their reliance on the tool.

When asked about this risk, most raise the high prevalence of errors in spreadsheets. The other clear concern for investment managers is the key person risk that utilising spreadsheets enables.

 

Many can quote statistics like94% of spreadsheets have errors1 or “98% of people have seen an Excel error cost their employers’ money”.2

It is these statistics that result in headlines such as Microsoft’s Excel Might Be The Most Dangerous Software On The Planet”.3

 

However, less recognised is the danger associated with internally emailing spreadsheets.

Yes — emailing spreadsheets. Hands up if you have emailed a spreadsheet with sensitive data in the last week? How many of you did that without considering the risks?

 

In May 2022, an Australian superannuation fund suffered an information security breach resulting from unauthorised access to a mailbox.4 The fund was a victim of email phishing activity. In that mailbox was an email with a spreadsheet attached containing personal details of about 50,000 members.

This data breach was not the result of a material security control weakness or technology failure. It was the result of a staff member’s password being compromised by a malicious email.

 

Emailing spreadsheets is not what usually comes to mind when we ask risk managers about information and data security risk. The recent incident is not a rare event. Other examples include:

 

 

A better way to share investment data

 

Investment data typically lives in multiple systems across the organisation and it is standard practice to email this data between teams in spreadsheets. As we pointed out in our white paper, spreadsheets are not inherently designed as collaboration tools.

 

Investment managers are aware of the risk of emailing spreadsheets to and from third parties. Most have secure processes to communicate with custodians and other data providers. However, many still rely on the tool to share data internally.

 

Moving to an enterprise data management (EDM) platform eliminates the need to share valuable data via spreadsheets and ensures that all business uses a common source of truth.

 

Read our white paper or talk to us to learn more about how an EDM can reduce your reliance on spreadsheets.

 

References:

1. Panko, R. R. (2005). What We Know About Spreadsheet Errors. Journal of Organizational and End User Computing. 

2. Richardson, B. (2022). Excel facts & statistics: New original research for 2022. Acuity Training – Equipping You For The Next Stage In Your Career. 

3. Worstall, T. (2013). Microsoft’s Excel Might Be The Most Dangerous Software On The Planet. Forbes.

4. Jarvis, C. (2022). Spirit Super data breach: Customers should be cautious, but minimal risk: CEO. The Examiner.
 
5. ‘I was shocked’: Data breach reveals personal details of thousands. (2016, November 17). ABC (Australian Broadcasting Corporation).
 
6. Chalet, A., & Grusche, P. (2021).  An Excel document could cost the Department of home affairs millions. IP Blog.
 
7. Cormack, L. (2022, June 1).  Icare sends private details of 193,000 workers to wrong employers. The Sydney Morning Herald.
 
8. University of Essex data breach being taken ‘very seriously’. (2022, May 3). BBC News.

 

Tags: