Badly addressed emails intended for the auditor controller's office of the Contra-Costa County, California ended up at a Swedish Internet company that owned a .ac domain. The stray emails included personal data, such names, employee numbers, and benefits of workers. Some had payroll spreadsheets as attachments. The Director of the Swedish company, Robert Carlesten, tried reporting the problem, but the County only became aware after Carlesten told Computerworld.
Some reports claimed that anti-spam filters blocked Carlesten's messages, because he was not an authorised sender. The County immediately blocked outgoing email to the entire .ac domain as a preventative measure. It is suspected that the cause is bad addresses in some address books, but many employees have personal, locally-stored address books, making identification and correction of the rouge addresses a problem.
There are various lessons to be learnt:
- Things that fail silently can go unnoticed for a long time. Warning signs may never be reported ("Joe in audit never gets my reports…").
- Simple spam filters can have serious false positive problems.
- Encrypting sensitive internal communications could have prevented this accidental leakage.
- Blocking an entire top-level domain is over-reaction to an addressing error.