Security Issues due to bad Mail Practices: The LyonMUN case
So many associations use GMail for their general communication with members. Often, this comprises the sending of newsletters. Recently, the organisers of the UN politics simulation MUN LyonMUN leaked this way by accident a large number of participants mail addresses (mine as well). I decided to raise awareness of the security risks by a little experiment and also to test the reaction of the organisers.
Incident
On Friday 0:251, I received a mail from the organisers of this year’s [Model United Nations] (MUN) conference in Lyon called LyonMUN. The mail has been sent from lyonmun2017@gmail.com to 222 people, that either participated in earlier editions in the conference or already signed up for this year’s edition. Purpose of the mailing: promote the upcoming edition and urge people to pay the conference fees.
The problems in here are:
- The sender mail address is difficult to verify (I come back to this later).
- All 222 people have now the mail addresses of all others. That means, many personal mail addresses have been assumably accidentally leaked by the organisers.
Due to the way mail works, you cannot undo a mail once it has been sent. The only possible measures are to inform the data subjects in a transparent manner on the incident and potential security implications and to take precautions to prevent future incidents.
I made a bad experience when I made during the last year’s edition LyonMUN 2016 in the role of a participant the remark that one aspect of their conference may intimidate the participants: They offered to allow sending anonymously roses to individual participants with a message read out loud by the organisers in front of the assembly without prior consent of the receiver. I thought this may open doors to potential bullying. The then president of LyonMUN Mélanie Villar and now secretary general just made a IMHO snide remark and that’s all what happened. I was certainly a bit disappointed and expected a debate taking into account that promoting debating is one of the purposes of MUN associations and events.
For that reason, I though of a more creative approach to initiate a discourse. It is not like security in the internet is not a topic for LyonMUN. On their website, the press team posted not even 2 weeks ago an article concerning cyber defence. Unfortunately, LyonMUN has apparently not adopted adequate measures on their own. Let’s see what happened!
-
Maybe the sender was tired after working past midnight and less attentive of what s/he is doing. ↩︎