• Audit
• Incidents
• i20151205.1

Incident i20151205.1

• Incident Number: i20151205.1
• Status: execution

• Incident Manager: BenediktHeintel

• Date of incident opened: 2015-12-05
• Date of incident closed: 201Y-MM-DD
• Incident title: Data Privacy breach

History Log

• 2015-12-05: Incident i20151205.1

• 2015-12-05: created private part with full names and email content

• 2015-12-06: Updated root cause, added additional permanent corrective actions
• 2015-12-09: Updated with latest information and notified
• 2015-12-09: Board informed about incident and asked for approval (until 2015-12-27) and execution
• 2015-12-18: Actions approved by Board
• 2015-12-20: Added permanent corrective action, approved by Board on 2015-12-19 via email

1. Incident Response Team

• Internal Auditor

2. Incident Description

The internal Auditor was informed by a member (A) that an Organisation Assurer (B) posted a privately meant email to the public support mailing list "cacert-support@lists.c.o". The email contains the name and the address of the member asking for an organisation assurance (C). The rest of the information is public available. It also indicates (C) to use the public support mailing address "cacert-support@lists.c.o" as return address for all conversation within the organisation case in the mail's body. (email 1)

(B) recognised the mistake and send another email to (C) and the public support mailing list, with the address "cacert-support@c.o" in emails body; "cacert-support@c.o" is an alias to "cacert-support@lists.c.o". (email 2)

(A) was answering on this posting on the public mailing list. The answer starts with a harsh almost insulting question towards the Organisation Assurer. (A)'s answer casts a damming light on CAcert's communication and interaction with each other. (email 3)

(B) apologized for the mistakes in a private email to (C) and clarified, that the support email address should be used for communication. (email 4)

(C) thereof answered to the support email address.

3. Containment Actions

The Organisation Assurer (B) apologised to the member (C) and corrected his mistake in (email 4) around one hour after writing (email 1) to the public mailing list. There is not need for other containment actions.

4. Root Causes

1. Email to public mailing list:

The (B) send two emails from his mail client, typing the first characters of "CAcert Support" and confirmed the address with enter; the mail client has chosen cacert-support@lists.c.o as recipient. (B) did not recognised this prior sending. When (B) got aware of the mistake, he send an email to (C), trying to fix the mistake.

Finding: This data privacy breach of (B) happened by mistake.

2. Use of cacert-support@lists.c.o in email body:

(B) dully copied the email addresses from the address field into the mail body without checking the addresses.

Finding: (B) did not carefully re-read the email before sending. This happened by negligence.

5. Permanent Corrective Actions

1. (A) should apologise toward (B) and (C) for the tone of the email.
2. Standard templates should be provided the Organisation Assurance Officer for initial mails to have a common communication towards potential organisation assurances and avoid mistakes.
3. The Organisation Assurance Officer should advice all of his Organisation Assurer to use OTRS as standard tool for answering on tickets.
4. Delete the email thread containing the wrong support email addresses from the public mailing lists.

A note from the Incident Manager: Mistakes might happen, that's human - important is the way we treat them!

6. Verify Corrective Actions

7. Preventive Actions

As of Incident i20140625.1, all Organisation Assurers should participate in the data privacy awareness

8. Approval & Closure

• CategoryAudit

• CategoryIncident