Signing up to newsletters for personal interest and purchasing tickets to concerts and events using a work email account can be super convenient for an employee for many reasons ... but it can also create significant security vulnerabilities for an employer and should be strongly discouraged.
Think of situations like the Ticketek breach in mid-2024. Anyone who used their work email address when purchasing tickets has unwittingly exposed these professional accounts to cyber criminals. And, by doing so, have potentially exposed their employer's network and systems.
In the case of the Ticketek breach, thousands of users had their private data leaked. Those people are now unknowingly at increased risk of phishing attacks. With the combination of a work email and other personal data gained through the Ticketek breach, a cyber criminal has all they need to create highly-convincing phishing emails - perhaps about a recent purchase, or a refund, for example. If the email account used was a work account, and if the user doesn't spot the scam and clicks a malicious link, it's the work environment where any spyware or ransomware is loaded. This can lead to exposing confidential documents, client data, or intellectual property and perhaps triggering a notifiable data breach for the employer - a costly and extremely stressful scenario.
The aftermath of the Ticketek saga is ongoing, with OAIC announcing in January 2025 a class action complaint regarding Ticketek's handling of personal information. Meanwhile, there has been a major uptick in compromised passwords related to this incident on the dark web. If you have ever used your work email for non-work-related activities, we strongly recommend the following actions:
- Change your passwords immediately for any accounts linked to your work email
- Consider deleting accounts that may have been created using your work email for personal purposes
- Enable two-factor authentication (2FA) wherever possible to add an additional layer of security
For companies using IT Basecamp's Cyber Security Concierge program, Dark Web monitoring is part of the service. This means that after the Ticketek breach, we reported to clients which of their employee emails had been compromised and turned up on the dark web, as shown in this snapshot from a report (user emails removed for privacy!):
Forewarned, these clients proactively followed the steps above to change passwords, delete connections to work emails, and enable multifactor authentication if it wasn't already. Making the most of an unfortunate situation, this was done as a training and awareness exercise to educate all staff.
Remember, once data is on the dark web, it cannot be removed. Using your work email for personal purchases and sign-ups increases the risk of breaches like this affecting your company and it likely also violates your company’s IT policies. It’s best practice to reserve your work email for professional purposes only and don't forget to stay vigilant and take action to protect your personal information.
I'm interested in a cyber security solution
ITBasecamp acknowledges the traditional owners and custodians of the country in this area and pay our respects to elders past, present and emerging. The South Coast of New South Wales where we live is Yuin country but indigenous people here come from a number of different groups including Brinja-Yuin, Budawang, Jerrinja, Murramarang, Walbunja, Wandandian and Wodi Wodi. We recognise their continuing connection and contribution to this land.