Border Patrol Agent Forwarded All Emails To Someone Else's Gmail; Only Discovered When 'Civilian' Responded

from the oops dept

Intercept reporter Jenna McLaughlin alerts us to a rather stunning security mistake by a Customs and Border Patrol (CBP) agent, as outlined in some DHS released “incident reports” concerning “cloud data breaches.” The very first one involves the CBP agent forwarding all of his email to a personal account, but messing up the configuration, so that it actually forwarded to someone else’s Gmail account (someone with a similar name) — and this mistake was only noticed when this “civilian” responded to an email he had received via this forwarding, and the response was sent to a wider mailing list of Homeland Security employees:

If you can’t see that, here’s what it says:

CBP reports that one (1) CBP user had an auto-forwarding rule setup to have emails sent externally to a civilian’s personal Gmail account. There is a possibility that sensitive information to include Personally Identifiable Information (Pll) has been accidently sent out due to this rule. The incident was discovered when a civilian responded to a CBP user’s email to a distribution list of other CBP/DHS users. The CBP user noticed the civilian’s Gmail address and reported it to the FTO who then reported the incident to the CBP CSIRC. Upon investigation and confirmation from EaaS, one (1) CBP Border Patrol Agent who was on the email distribution list had an auto-forwarding rule setup within their Exchange account to a non-CBP/DHS user’s personal Gmail account. The name of the Border Patrol Agent and the civilian are very similar, but it was determined that the Border Patrol Agent misconfigured the rule by using the civilian’s personal Gmail address instead of his own. Technical remediation will include working with the EaaS team to implement a rule to disable the auto-forwarding rule and only allow it when requests are made to the Exchange team. The incident has been reported to the CBP Privacy Office and Joint Intake Center for action (assisting the user to have all government emails removed and confirmed).

It seems rather stunning that CBP/DHS didn’t already have such a rule in place. Then again, this is Customs and Border Patrol, who has something of a history of not really giving a fuck because they can get away with doing whatever they want and no one ever does anything about it.

Later in the same report, it is revealed that this auto-forwarding from inside DHS to private accounts happened somewhat frequently. An investigation just a month after the incident above showed 771 such rules set in DHS staffers Exchange systems:

If you can’t read that, it says:

DHS SOC reports that a total of 771 rules are configured in Exchange to auto-forward emails external to DHS. DHS SOC requested and received a list of 771 automated email forwarding rules created by DHS Email as a Service (EaaS) users. Auto-forwarding or redirecting of DHS email to address outside of the .gov or .mil domain is prohibited and shall not be used per DHS 4300A policy, section 5.4.6.i and poses a high risk of accidental disclosure of Pll, SBU, FOUO, LES, or classified data. The incident has been reported to the Joint Intake Center (JIC). Affected Components (CBP, FEMA, DHS HQ, and DC2) are asked to identify and remediate the rules.

Not sure about to you, but this doesn’t make me feel much safer about DHS at all. And, remember, DHS is one of the government bodies currently looking to manage the government’s cybersecurity efforts — and they’re considered the better option given just how little people trust the NSA or the FBI (the two other main contenders).

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Border Patrol Agent Forwarded All Emails To Someone Else's Gmail; Only Discovered When 'Civilian' Responded”

Subscribe: RSS Leave a comment
Ninja (profile) says:

Re: Re: Re:

You underestimate stupidity. You’d need an unworkable system to make it fully secure.

Why were the users allowed to forward their mail, and additionally, allowed to forward to non-government/cloud services?

You see, I agree with that to some point. The government needs to communicate with the outside world at some point. I’m not sure how CBP works but they surely need to send some mail out at some point. What could be done here is to make it a whitelist system where you need to submit external mails to approval (ie: John Doe must be contacted because X reason, his e-mail is Y so upon review, Y mail is allowed to communicate to that employee and that employee only). So the best alternative is to weed the stupid out and keep the system minimally workable. Maybe somebody better at security can prove me wrong?

Anonymous Coward says:

Re: Re: Re: Forwarding mail, automatic vs manual

I think grandparent is questioning why the e-mail platform allows writing a rule that automatically forwards e-mail outside the organization. Allowing a user who goes to the trouble of selecting the e-mail(s), clicking Forward To, and choosing a destination to send it wherever he/she wants, even if that destination is stupid, is comparatively fine, because we hope that the user does not routinely make the same stupid mistake as he/she forwards every e-mail of interest. On the other hand, in this case, it only took one stupid mistake, compounded by not investigating the problem when mails failed to forward to the intended GMail address, to let an unspecified number of e-mails go to the wrong destination. Moreover, if the owner of the receiving account had been inattentive or decided not to speak up, this could have gone undetected for a long time.

You cannot protect against users making stupid mistakes, but you can take away the tools that let them magnify a single stupid mistake into a huge mess.

John Fenderson (profile) says:

Re: Re:

This could not have happened where I work, or at least it would have been detected much sooner. Here’s how my employer runs company emails: if you are sending an email to a non-company address, then it goes through extra layers of scrutiny (including examining attachments to the extent of even unzipping and examining archive files).

This examination is VERY strict, and if the email you’re sending even looks like it might contain something sensitive, then that email is not sent. Instead, you get a warning of the problem and are told to contact the security team to get an exception put into place if needed.

Anonymous Coward says:

Re: Re: Re: Re:

…”and if the email you’re sending even looks like it might contain something sensitive”…

…So does it autodetect encrypted files? Even then there are ways to hide data within perfectly legitimately looking data…

Depends on your system configuration and how good your admins are. I’ve lost count how many times we had to ask for software or firmware updates be snail mailed on CD because our systems trash any EXE, DLL, and BIN files even if they’re in a ZIP or RAR file. Any attempt to direct download does the same thing. We finally figured out that setting up a single workstation directly on the internet gateway but outside the LAN/WAN was good enough for such downloads. Once downloaded the file(s) get put onto a CD or USB and taken to the IT folks for them to play with.

Anonymous Coward says:

Re: Re: Re:

oh wait, how does someone know what they DIDN’T receive again

Easy. You send a mail that you expect to be forwarded (or get someone else to do that for you, with out-of-band confirmation that they sent it). If it shows up, you know the forwarding is at least somewhat functional. If it does not, you can investigate further. This can be as easy as calling to the next desk over “Hey Joe, mail me a test message. I want to check something.”

ltlw0lf (profile) says:

Why can't people verify email addresses before sending?

The incident was discovered when a civilian responded to a CBP user’s email to a distribution list of other CBP/DHS users.

Having had an amazingly similar situation happen with me where a non-profit organization sent a very sensitive document to me at one point on accident, and then wanted me to sign an NDA because, even though I told them I deleted the email unread, I might have seen something I shouldn’t have and could have made life miserable for them (the email and the contents were deleted, I have no idea what it was.) I told them full stop, they sent the email to me due to no fault of my own, and I wasn’t going to sign anything.

It really doesn’t take that long to verify you have the right email address (and more importantly, the right domain name) for sending sensitive information. Yet, they told me they were so busy and couldn’t confirm the email address and thus it was somehow my problem that they sent me what they sent me.

What is really sad is that even though they screwed up, in today’s society, I suspect that no good deed will go unpunished (especially given the phrasing above.) The good samaritan let them know they were broken, but they discovered the problem, no thanks to the good samaritan.

Anonymous Coward says:

organizational policies

This is a bad idea but being a government employee the reason the person may have done it in the first place was to have quicker access to work stuff under the belief that such access was needed. My org does not give everyone easy access to emails…just the “leaders” however it is highly suggested that ube able to check your email 24/7 in case a leader has something imprtant to tell you. True i can use VPN to access my account via a ccomputer (and maybe my phone…never tried it) but it is not always on and to be logging in over and over again.

If i forwarded those email to my gmail account I do jave quick an easy access.

So not saying it was a good thing but rather there may be other things in play that made the agent forwarf the stuff in the first place.

And in case you are wonderingn I do not forward any work email to a personal account. If a manager needs something from me during non-regular hours he or she can call me.

Joe Random says:

SMTP insecure

It’s a wonder that ANY sensitive information is permitted to go out via email, since almost every server is insecure by default. It’s possible to require TLS/SSL, but almost no one does this in a way that’s resistant to downgrading to plaintext (see ). Default server settings also frequently do not bother to authenticate certificates, which, far too often, are self-signed or expired anyway. See also .

Even when TSL is required, there’s the possibility of one of the many certificate authorities that the average SMTP server trusts going rogue. Each of these weaknesses are exacerbated by a dependence on easily-spoofed DNS.

tqk (profile) says:

Re: SMTP insecure

Even when TSL is required …

That’s how easy it is to do. Somewhere along in time, a lot of people decided that, for whatever reason (too busy, no time, inattention to detail, lazy, easily distracted,…), proofreading was unnecessarily costly and too much trouble.

Add to that this CBP agent also couldn’t be bothered to test that his forwarding rule was actually doing what he intended. Combine those two failures and, when it finally comes a cropper, he (and his employer) get to wear egg on their faces while damage control kicks in.

TD even supplies a “Preview” button, and that malformed Three Letter Acronym (TLA) is wearing a squiggly line underneath it put there by my browser’s spell-check.

Trust, but verify. Or look funny when eventually found out. 🙂

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...