Disrespect of Basic Security Principles

A gross disrespect of basic information security principles could lead to a serious data breach.

The Cash App data breach is an example of the consequences of not following basic security hygiene. It led to 8M users' data breach: https://www.securitymagazine.com/articles/97396-block-confirms-cash-app-breach-affecting-8m-users

And here is a recipe for another possible breach by a similar digital banking company. This company is not ready to accept that there is a serious issue. The name of this organization has been redacted in this article.

The following screenshot is of a mail from this company asking the user to send images of their SSN card, driver's license, and passport via e-mail.

I received the following message when I explained to them the risk of sending any sensitive information in an e-mail:

If we provide any sensitive information in an e-mail, it can be exposed to multiple attack surfaces that may lead to compromise of the sensitive data. Following is a description of a few attack surfaces:

1. In-transit - E-mail communication may be intercepted by a threat agent that can compromise the confidentiality of the sensitive PII of customers. The e-mail server of this company accepts e-mail over the unsecured communication channel. It does not enforce TLS. The use of TLS for e-mail communication is also considered susceptible to person-in-the-middle attacks.

 A DNS lookup shows that the company's mail server is aspmx.l.google.com

The following screenshot confirms that this mail server is not enforcing encryption of the data-in-transit.

2. Customer mailbox: The scanned images of SSN, DL, etc. will be stored in the customer's sent mail folder.

3. Lack of auditability: The customer is sending this sensitive information in the customer support mailbox, which will most likely be a shared mailbox. Such mailbox may not be able to provide access audit logs of these PII, which makes it difficult to hold someone accountable in an event of a data breach.

 Asking customers to send sensitive PII using e-mail also reflects the organization's lack of IT security maturity.

Any organization that needs such sensitive documents from customers should have a secure file upload mechanism. Organizations must ensure that basic security principles such as strong encryption and the least privileges are enforced throughout the lifecycle of the data.

 I have also tried to reach out to the "Program Manager - Security Governance, Risk and Compliance" of this organization via LinkedIn and waiting for a response.