A hacker made news this weekend by gaining access to CIA Director John Brennan’s AOL account through some simple social engineering. What was he able to access? “Among the attachments was a spreadsheet containing names and Social Security numbers—some of them for US intelligence officials—and a letter from the Senate asking the CIA to halt its use of harsh interrogation techniques—that is, its controversial use of torture tactics.” according to Wired.
Not exactly things you want floating around on the web.
This raises one big question: Why was John Brennan using a personal AOL account for work? And to go further, why was he keeping things like social security numbers just sitting in his account?
It took him three days to figure out that he had been hacked, and then the hackers regained control of his account three more times before Brennan finally deleted the account and asked them how much money they wanted. They don’t want money, they just want to share his emails with the world. Bad news for Brennan.
As you probably know, this news comes in the midst of Hillary Clinton’s public email scandal in which she used a private server and email account to do official work.
There is a lesson to be learned here, and it applies to everyone, not just people working for the government: Using personal email for work communication is a bad idea. You have nothing to gain from it, there is only risk. The risk of those emails being exposed, and your company losing trade secrets, employee information, and more.
If you are a company that allows your employees to use personal email, you need to change that policy and provide your employees with a secure communications platform. This will reduce the likelihood of being hacked technically or through social engineering, and gives the company control to remote wipe information should a breach occur.
Your employees may not have documents as sensitive as Brennan did, but why risk them putting your company information in their personal email accounts?