Oops, e-mail security vendor McAfee spills 1400 private names

In a story just dripping with irony, e-mail security vendor, McAfee, has accidentally sent the contact details of some 1400 conference attendees in a spreadsheet attached to a thank you message.

On July 17, McAfee held a security conference at the Sydney Convention Centre. The event was well attended by 1408 guests. But in e-mail a week later thanking people for attending, McAfee added a spreadsheet containing the names, numbers, e-mail addresses, employment details and even dietary requirements of the 1408 people.

As expected, McAfee went into damage control and immediately posted a message to those who received the list asking them to delete it.

But by then the damage was done. Steve Murphy, IT consultant and one of the 1408 people on the list, said the incident was “a real concern”.

“McAfee is brushing over it saying that it was just contact details, but it was the full registration database,” he said. “It is commercial-in-confidence information but these days social engineering is one of the most important aspects of security – it’s the kind of information that anyone can use.”

Murphy, who posted screengrabs of the emails on Flickr, discovered the mistake when he read the email newsletter and follow-up message.

“When I received the second email I was a little amused – until I opened the file and saw what was in there. Once I found out the details, I was horrified.”

A spokesperson for McAfee said the company sincerely apologised for the outcome and the inconvenience caused.

"Due to a human error, the contact list for a seminar [held two weeks ago in Sydney] was mistakenly attached to a promotional e-mail being sent to conference delegates. This contact list included common conference registration information but did not include any financial information," the spokesperson said.

"McAfee managed to intercept this e-mail before it was sent to all recipients, so it is uncertain how many recipients received the list."

McAfee has taken "the appropriate steps" to inform people of the mistake.

"We apologise for this error and are taking steps to ensure it doesn't happen again."

Let’s hope the “appropriate steps” to prevent this type of data loss includes the use of a McAfee Total Protection for Internet Gateways.

By combining email and web security with data loss prevention in one affordable solution, McAfee Total Protection for Internet Gateways helps you protect against malware attacks and keep sensitive information secure, according to the company.

“Automatic enforcement of industry and regulatory controls – Apply policies consistently to stop sensitive and protected data from leaving the enterprise through email and web traffic.”

McAfee getting more aggressive on cloud-based security

McAfee Monday says it intends to expand its security-as-a-service offerings in recognition that customers are opting more and more to adopt cloud-based deployments.

"We already have a good foundation for this," says Marc Olesen, McAfee's senior vice president and general manager of the new software-as-a-service business unit. McAfee Total Protection Service, which has about 5 million users, is primarily cloud-based for endpoint and mail security scanning. In addition, McAfee's Web Protection Service, wholly in the cloud, provides URL filtering and reputation analysis, while the company's Vulnerability Assessment service can scan Internet-facing systems to discover software vulnerabilities.

But McAfee anticipates a much wider push into security-as-a-service in the course of the coming year.

For instance, the company envisions "adding an inside scan, which is not something we deliver today as security as a service," Olesen says. "Today, it's still outside the firewall."

McAfee's Foundstone Enterprise product can be used to scan the corporate intranet, but the company is looking at how to make use of the underlying technology to provide an internal scanning service.

Another area of focus is further developing a cloud-based management console, according to Olesen. "Customers are telling us they want the management in the cloud," he says. "They can get started quickly with it."

One customer, Philadelphia-based Gemino Healthcare Finance, has found it much easier to use McAfee's Web-based management in the cloud for the past two years than having to install and maintain an antimalware management console in-house on a server.

"It's a huge reduction in maintenance," says Peter Herschel, director of IT at the 18-person outfit. He says he's more or less on his own managing all the servers and desktops for the company, which provides financing to hospitals and others healthcare organizations. "I need basic security kept simple."

McAfee is examining methods for log archiving in the cloud, and in particular will be looking at three vertical industries -- telco providers, financial and healthcare -- where new security-as-a-service offerings can be delivered.

McAfee will look at services that telco providers can not only use themselves but offer as services to their customer base. The vendor also intends to expand its e-mail filtering offering to include continuity services.

Not all types of security protection readily lend themselves at this point to a cloud-based deployment, Olesen acknowledges. Data-loss prevention and unified-threat management products, for instance, do not appear to be candidates, but the management of them could.

"It's a gradual shift to the cloud," Olesen says, adding McAfee will be making investments there, mindful that key competitors such as Symantec are also zeroing in on cloud-based services. While not announcing a specific timeframe to achieve the efforts described, McAfee expects that many of its goals will be accomplished within the course of the year.