I read about a security issue where a person in Australia received over 200 emails from Uber about completed rides...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
in Kenya, and this raised some questions. If an individual receives account-related emails on their corporate email address for accounts they didn't actually create, what steps, if any, should be taken? What responsibility does the enterprise security team have?
The issue here is that Uber doesn't verify email addresses, and these erroneous emails were being sent directly to a different user who was able to view private information on the real customer.
With that being said, if there are multiple emails incoming to an organization regarding accidental sign-ups or verification, it is an enterprise's right to block these incoming messages without question.
Unlike personal email, which the user has control over, corporate email security is the responsibility of the enterprise for which the employee works. This account, the emails and everything associated with it, are property of said organization.
If there is ever an issue with emails accidently being sent to the company and affecting it adversely, the company has the right to block these emails in its mail gateways or spam and phishing filters as part of the corporate email security policy.
The first step to remediating this issue would be to validate the inbound email. Also, you should determine if this email is something about which a user has asked their mail admins or if is it something the mail team noticed.
It's possible to unsubscribe from these emails if they're active, but if they keep flowing, the only recourse may be to block the address at the spam gateway.
If a similar situation to the Uber instance occurs, a mail admin can make a dedicated rule in the spam gateway to exclude the messages from being delivered to a particular mailbox. The user won't realize it was sent, and would no longer have accidental emails flowing into their inbox.
It's possible that these messages might have already been tagged as spam by a web filter based on the thresholds and reputation of the sender, but if not, it's not difficult to deny these emails and limit the damage to a user's mailbox. Depending on the location of a spam filter, in the cloud or on premises, the number of emails sent would have to be reviewed to determine if resources on the gateway are a concern for daily operations and corporate email security.
From an ethical standpoint, and in this case, it would be worth contacting Uber's support team to notify them that you're receiving these erroneous emails. If this can be done without introducing a privacy issue for the intended user, it would be ethical to try and resolve it for them. But if it meant digging into an account that wasn't yours, it's best to stay away from it.
Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Find out if you need both an email security gateway and a web security gateway
Learn how to choose the right email security gateway
Discover the best training techniques to deal with phishing
Dig Deeper on Email and Messaging Threats (spam, phishing, instant messaging)
Related Q&A from Matthew Pascucci
Universal second factor devices can be used to strengthen authentication on major websites such as Facebook. Expert Matthew Pascucci explains how U2F...continue reading
US-CERT encouraged users to use newer versions of Windows SMB, since version one is out of date. Expert Matthew Pascucci explains how to tell if SMB ...continue reading
Identity governance and access management systems overlap naturally, but they are still distinct. Expert Matthew Pascucci explains the difference ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.