Volume 5 - Issue 1
Investigating the leakage of sensitive personal and organisational information in email headers
- Jason R. C. Nurse
Cyber Security Centre, Department of Computer Science, University of Oxford.
jason.nurse@cs.ox.ac.uk
- Arnau Erola
Cyber Security Centre, Department of Computer Science, University of Oxford.
- Michael Goldsmith
Cyber Security Centre, Department of Computer Science, University of Oxford.
- Sadie Creese
Cyber Security Centre, Department of Computer Science, University of Oxford.
Keywords: Email analysis, Information leakage, Digital forensics, Unintentional information exposure, Attack reconnaissance, Security and privacy risks
Abstract
Email is undoubtedly the most used communications mechanism in society today. Within business
alone, it is estimated that 100 billion emails are sent and received daily across the world. While the
security and privacy of email has been of concern to enterprises and individuals for decades, this has
predominately been focused on protecting against malicious content in incoming emails and explicit
data exfiltration, rather than inadvertent leaks in outgoing emails. In this paper, we consider this
topic of outgoing emails and unintentional information leakage to better appreciate the security and
privacy concerns related to the simple activity of sending an email. Specifically, our research seeks
to investigate the extent to which potentially sensitive information could be leaked, in even blank
emails, by considering the metadata that is a natural part of email headers. Through findings from a
user-based experiment, we demonstrate that there is a noteworthy level of exposure of organisational
and personal identity information, much of which can be further used by an attacker for reconnaissance
or develop a more targeted and sophisticated attack.