Indeed it was stupid for someone to send a large sensitive dataset over email. But what I find annoying is the lack of chatter about which email servers were compromised.
Was it Microsoft, considering probably 90+% of all gov agencies use it?
which email servers were compromised
First, the cited Times article doesn’t say that any email servers were compromised. The phrasing makes it sound like that among the people the data was sent to was someone that it shouldn’t have been at the user level:
A dataset was emailed to the wrong people
But let’s imagine that that wasn’t the case. Let’s imagine a scenario where an email was somehow intercepted.
You don’t have to compromise an email server to read email. Email is typically transmitted between mail servers in plaintext, via SMTP. Email encryption is out there — GPG or X.509 certificates — but users have to actually use them to encrypt that data. If they do, the encryption is actually pretty good, end-to-end, though the email subject still goes in plaintext. However, most don’t. Anyone along the network path also has access to that plaintext data.
A dataset was emailed to the wrong people
Ah, that differs from what I thought I heard on BBC. On BBC, they said the sender of the email accidentally attached the entire dataset, when they meant to only transmit a few records. BBC did not imply at all that the destination was also incorrect. So, I guess there are conflicting stories.
You don’t have to compromise an email server to read email. Email is typically transmitted between mail servers in plaintext, via SMTP.
I realize that sloppy configs could be in play. But I would expect TLS to be in play in a majority of cases (in which case the compromise would be at the servers). We could probably say vast majority of traffic includes either MS or Google servers. Don’t they insist on TLS? Or is it some kind of lenient opportunistic config?
And if TLS was not in play, then I suppose an interesting question as well is what ISPs are involved in that route.
