Do Not Email Passwords

Image courtesy of hyena reality at FreeDigitalPhotos.net

With over 3 billion internet users in the world today and an increasing focus on cyber security throughout the media, I would have thought that just like “Look both ways before you cross the street”, the caution “Do not Email Passwords” would simply have become common sense. But it turns out I was wrong.

Earlier this week, I received a standardized form email from Kaspersky Lab, one of the top rated antivirus software companies, advising me that my antivirus subscription was about to expire in April and that the credit card associated with the auto-renewal had expired. Within the body of the email was a link to the account detail log in page hidden behind a ‘click here’ along with the last 4 digits of my credit card number and shockingly, also included were both the log in and password required to log into my account.

When I emailed Kaspersky Lab, objecting to having account credentials sent to me in a plain text email, Kaspersky responded:

We understand that you were concerned about the security of your personal information and wish to have it removed from our records. However, please be informed that this information was only sent to you for your reference. This information is not disclosed to other customers.

Stunned by this response, I contacted Kaspersky Lab by telephone, to ask how transmitting the credentials require to access my personal information in a plain text email could be construed as private. When my conversation with the customer service representative failed to give me any confidence that my concern was understood, I asked to speak to her supervisor. After once again explaining my alarm at receiving both my username and password in an email, she assured me in her most soothing customer service voice that I was not at risk of having my personal information stolen because, after all, my desktop computer was running the Kaspersky security suite.

If only it were that easy to protect our privacy from the scores of cyber criminals and even amateur hackers who breach the most secure data centres and abscond with millions of records filled with personal information and payment card details.

The number of data breaches worldwide grew 62% between 2012 and 2013 with more than 552 million identities being exposed, according to Symantec’s Internet Security Threat Report. The top eight breaches exposed more than 10 million identities including names, birth dates and other identifying information and included the now famous Target data breach where an estimated 40 million credit and debit cards and 70 million records including customers’ names, email addresses and telephone numbers were exposed between 27 November and 15 December 2013. In this age of ubiquitous connectivity, our most personal and private information is increasingly at risk. And although software vulnerabilities are commonly exploited and cyber malware is on the rise, according to a report published by Dark Reading, the most common cause of data breaches is still weak and stolen passwords.

So once again, a common sense reminder to all: Do not email passwords and always look both ways before you cross the street.