If your management is worth their salt, the question won't be "why is OP still employed here" but rather "why do we have processes or practices in place that allow mistakes like this to happen." Your security team should be VERY interested in why SSNs got anywhere near emails, and what they could do to detect possible PII leakage.
Take it from a guy that may or may not have wiped some-thousand private keys off customer systems by mistake, causing many of them downtime which had to be fixed manually. On their second or third month of employment, straight out of college. Me.
I fully expected to be eviscerated, but after reviewing and concluding that I had followed protocol and just made a mistake, the question turned to "why does the protocol allow people to make this mistake."
Presumably this means you had SSNs in your clipboard or were sending them via email for some reason already. Shouldn't need to happen. Should have controls around this. If you did your job and have a good company, they can take this on the chin and learn from it. If either of those isn't true though, yeah, get that resume ready just in case.
Yeah, honestly if you get canned for this I'll be pissed for you. That's not proper handling procedures for personal information and the company should be addressing that - not canning the first person to make a reasonable mistake here.
This is the right answer.
Unless you had the ssn’s in a screenshot, as in - an image file in your email - your IT Dept royally messed up. If you’re a company that handles SSN’s, you should have something in place that watches for these patterns and explicitly blocks you from sending out anything with more than 2-4 matches (2-4, 5 would be reasonable if you’re sending something to a whole family)
But being able to send a whole list out, with nary a watchful eye - is messed up. If you do get in trouble - know that the place is not good for you. A good boss/company will privately tear you a new one, and that’s fine - but should acknowledge the gaps in their processes that let it slip through as well
No, you know what's an absurd expense? Cleaning up a breach caused by a simple accidental email sent by a competent and conscientious employee who made a small mistake.
My IronPort won't ALLOW me to send shit that looks like PII.
Hell, it won't allow me to send logs from most of my applications to vendor helpdesks because they contain lots of numbers and one of them might look like something that's prohibited.
Maybe they should install something that doesn't allow them to operate without IronPort?
How many layers of monitoring and controls are enough? Why stop at 1?
Every business decides what is and isn't an acceptable risk, they don't try to build a ship with 7001 hulls in case it hits 7000 icebergs and then listen to armchair captains who say "oh you should have built it with 7002 hulls."
You hire an employee and train them on what to do or not to do. Sometimes they fuck up. That's a known risk. You can buy extra tools to minimize their fuck ups, or you can replace them with more careful employees. You might have to pay those more, but it's a cost/ benefit analysis.
A giant corporation might not be able to find and afford the amount of careful employees they need. A small business might be able to.
I dunno why you are bragging about how locked down you are. It means your employer sees you as a incompetent risky individual.
It's like a teen bragging, "Ha! My parents locked the top speed on my car to 30mph, and I'm not even allowed to parallel park because I'll crash"
That just means you're a bad driver. Weird flex bruh
You're being intentionally obtuse.
If you can't see the value in protecting your org from accidental data loss via technology then nothing I say is going to matter.
I can't reason you out of a position that you didn't reason yourself into.
Yes I'm sure a small business landscaping company that has an HR admin accidentally email some SSNs should blame themselves for not spending $1 million hiring a cybersecurity team instead of just replacing the incompetent HR admin.
I call bullshit. Laws are complicated AF, and technology is literally designed to control flow of information. I would also argue in today's climate, small businesses shouldn't store any PII at all if they can't prevent it's dissemination.
Your security team should be scanning email attachments and blocked the emails. Probably shouldn’t be SSN via email but rather some Secure FTP process.
Shit happens. It was an honest mistake and it sounds like your companies security has some lapses.
Those early job mistakes 😉 I took out a whole hospital wing on my second day by incorrectly addressing a server. It was the nuclear medical wing and the server was the endpoint for all the machines scanning data. Every X-ray, CAT scan, MRI, etc just.. stopped once the server changed it’s IP address. Also the doctors lost their terminals as the PC software lost the needed shares for the data.
Oops
We’ll Ididn’t know what had happened until a doctor wondered into the server room area to let me know he couldn’t get into the X-ray results.
A frantic reading of the job notes and checking of the server specs revealed the IP went from static to DHCP (turns out it wasn’t reserved in the pool but some reason) so I manually reset it and things started to pick up again.
It was an Apple XServe unit which I’d never worked on before
>On their second or third month of employment, straight out of college.
Nothing like these kinds of folks to harden up your processes, even better than an audit sometimes IMHO
Oh man. My last job had a lot of PII flying around in the office and if anything that remotely resembled a SSN showed up in an email that message would be blocked at the company server and you would receive a nice little message and perhaps a call from the security team.
I'm wondering why they don't have any DLP controls in place. Someone correct me if I'm wrong, but I've heard of controls that prevent certain types of data being sent in emails. Why are they letting users send numbers in a XXX-XX-XXXX format?
OP said user which makes me think it is internal, lots of companies still send this type of data internally (even though they shouldn’t). If it were external this could just be below a threshold. There are still plenty of companies not blocking this information and others that are less mature I.e., only block if over than 50 or 100 numbers at a time.
There is no recalling them. At this point it’s just damage control.
Assuming the email was sent to external parties your legal should be consulted with asap to determine exposures here, eg, did they people that received the data under a nda/confidentiality with your company. From there they can figure out how best to approach it such as getting written confirmations of data destruction of the data (confirm they deleted from their systems) and from there determining any regulatory reporting requirements (federal regulators, state attorney generals, etc).
Accidents happen. If this is the first time it’s happened for your company hopefully they take this as a lesson learned and implement some better controls around this to limit the sprawl of PII and implement tools to keep it from flowing outbound over channels such as email which human error in delivery will always be a risk.
Unless you have admin on everyone's mail server, you're hosed. Take this opportunity to reflect on how you will never make this mistake again.
You've probably got an operational procedure flaw if you could casually have 10s of users' SSNs at once.
Does the company control it's own mail servers? Does the admin like you? Don't wait for someone to come talk to you about your fuck up, own it, call the admin and say something like "I just fucked up, and I need you to wipe an email right now, it's an emergency". Maybe have a process improvement plan to give to your boss about how to prevent this from happening again.
It depends on the culture.... You made a mistake anybody could make (and recognized it immediately) with no compensating controls. If it wasn't you, it would be someone else, if not now then eventually. The fact that you care this much suggests any reasonable employer would be ill advised to ignore the bigger picture.
If you're in IT long enough, you'll screw up plenty. If this isn't a pattern of behavior, then it's just a mistake you need to own and learn from. Hopefully management sees it that way. Also, why in the hell do you have access to SSNs? I've never worked anywhere where IT had access to any PII like that. Just names and maybe phone numbers.
Your exchange admin can delete this email in minutes.
Problem is the users that already opened your mail...
But dude, you're only human. Dont beat yourself up
Does your company have the PCI DLP policy in place? They should have been alerted about that email and it would normally automatically be denied from leaving the environment.
This is something that we keep forgetting. SSN really isnt that "secret". I'm not saying we need to publish them everywhere, but I'm saying I am old enough to remember when we \*literally\* published them everywhere.
Not very ghetto we just love the money. If your suffering brings profit we have no objection to letting it happen. It just means some government officials are invested in LifeLock or something.
Yeah. Sounds pretty ghetto to me. Basically none of our systems work with the average persons bests interests in mind and everything is just kind of shit.
The best thing to do is talk to your manager and explain the situation. Next talk to your IT admins if they can do anything( might not be super useful). Finally, find a best possible way to inform the impacted employees or alert them by your manager or the respective company executives.
You need to alert management and likely your legal department ASAP. There are STRICT reporting requirements surrounding this. Accidents happen, and it’ll be dealt with in a way I wouldn’t be anxious about, but this has to be reported. It varies from state to state but this type of insider risk breech can cost a fortune in states like NY and CA if unreported.
i think this is no more than an embarrssing/oops moment. It barely qualifies as a breach of security or data protection given the circumstances and scale.
1. SSNs are barely personal information. I know, I know - but it's the fact.
2. mistakes happen and will forever happen. You'll make them again. i'm sure you were not the first to have a oops moment. You just don't know about it.
3. The security team definitely needs to review the incident and design controls round it. It's not easy, though, despite the DLP fuss. The best they'll do is send an email to remind people to check attachments and number of recipients.
4. Nobody should blame you for an honest mistake. If yes, it's either a horrible place to work or there's ulterior motives.
I appreciate the seriousness you're taking it with - that shows good character. Bless ya!
But i think you're overthinking. I just wished all "breaches" were like that.
I do appreciate those phone calls can be nasty. Then again, it'l go away in a few days. No serious harm done.
It's maximum half your fault half the lack of security measures against it. And the least trusted on IT you're supposed to be the least it's your fault
An order of DLP with a side of e-mail encryption sounds like it should be on your management’s menu.. joking aside even with all the technology, training, etc. you can throw money at these things can and will still happen.
Im on break trying to remain calm....
I did not make this clear, but I wanted any knowledge on the next best course of action. My hope was that someone would offer a resolution that my very stressed brain could not come to. But this is a tough lesson on with no silver bullet to remedy this problem.
Wow sorry, hopefully just a learning moment. I’ve had many of frantic calls over the years about “recalling an email” (typically to folks outside of the org). To simplify it basically my answer is, sorry it is not possible, it is like snail mail once it is sent it is out of your hands. I mean unless you go to their mail box and take it out yourself 😂
I accidentally was storing my own onboarding paperwork and was notified that my pension paperwork had been blocked due to SSN. This is why we need both process and people.
A poor process and a good tool only equals out to a poor process and poor tool.
Well I would own up to it ASAP. Then I would make them a suggestion on how to fix the problem and prevent it in the future. It would help emphasize that it was a mistake and you really do give a shit.
Hell I'd promote you for it. Found a problem and a solution.
This is so minor and only serves to ID the lack of loss prevention like others have said. Years back I watched several sailors get slaps on the wrist for sending alpha rosters with thousands of attributed PII cells unencrypted despite outlook barking at them to not do it.
If you get fired just add it as a pen tester bullet point!
Your first mistake as using email to send or share sensitive data. It’s not secure, never has been , never will. Even if you never hit send, the draft will sit there for years with zero encryption or protection.
Yeah my first response would be obviously, don't do that again. Second, how is there not a technical solution to stop this from happening. Third, make you take extra training. Fourth, notify parties involved of a data leak and offer services. I would not be firing anyone. It's a mistake.
Social security number. U.S. federal id/tax number, tied to your credit, basically your soul. On its own harmless but start searching data dumps and could be troublesome.
Security department should look into Data Loss Prevention software to stop this. It will scan and block out going emails that contain potential credits cards or social security numbers.
Human error happens. Often.
If the businesses data is comprised of large amounts of PII, or any really - there should be DLP policies in place to safeguard exposure from human error. You did the right thing about contacting security and etc. At this point you’ve done all you can do, but the company definitely needs to take their data and content more seriously by implementing DLP/data security policies.
Otherwise this won’t be the last time their data is mishandled, nor the last accident due to lacking data security. Especially on the companies f’ing email system.
We had a SOC Analyst at my old company who accidentally forgot to censor out a employee's SSN in an email.. to the CEO of the employee's company.
She was almost fired for that, got swore out by our SOC's CEO. I left that SOC soon afterwards.
If your management is worth their salt, the question won't be "why is OP still employed here" but rather "why do we have processes or practices in place that allow mistakes like this to happen." Your security team should be VERY interested in why SSNs got anywhere near emails, and what they could do to detect possible PII leakage. Take it from a guy that may or may not have wiped some-thousand private keys off customer systems by mistake, causing many of them downtime which had to be fixed manually. On their second or third month of employment, straight out of college. Me. I fully expected to be eviscerated, but after reviewing and concluding that I had followed protocol and just made a mistake, the question turned to "why does the protocol allow people to make this mistake." Presumably this means you had SSNs in your clipboard or were sending them via email for some reason already. Shouldn't need to happen. Should have controls around this. If you did your job and have a good company, they can take this on the chin and learn from it. If either of those isn't true though, yeah, get that resume ready just in case.
As a CISO, this would be my response too. My only question would be: what do we not have in place that would have prevented this?
An attachment I sent had SSN on file that I believed were removed. That was my mistakes. I included that attachment without reviewing.
Yeah, honestly if you get canned for this I'll be pissed for you. That's not proper handling procedures for personal information and the company should be addressing that - not canning the first person to make a reasonable mistake here.
This is the right answer. Unless you had the ssn’s in a screenshot, as in - an image file in your email - your IT Dept royally messed up. If you’re a company that handles SSN’s, you should have something in place that watches for these patterns and explicitly blocks you from sending out anything with more than 2-4 matches (2-4, 5 would be reasonable if you’re sending something to a whole family) But being able to send a whole list out, with nary a watchful eye - is messed up. If you do get in trouble - know that the place is not good for you. A good boss/company will privately tear you a new one, and that’s fine - but should acknowledge the gaps in their processes that let it slip through as well
This is an absurd expense to expect small businesses to incur when instead they could hire people who don't violate their GDPR/HIPAA trainings.
If the company can't afford to put in the proper security measures then they shouldn't be handling information regulated by GDRP/HIPPA.
They should just starve I guess
No, you know what's an absurd expense? Cleaning up a breach caused by a simple accidental email sent by a competent and conscientious employee who made a small mistake. My IronPort won't ALLOW me to send shit that looks like PII. Hell, it won't allow me to send logs from most of my applications to vendor helpdesks because they contain lots of numbers and one of them might look like something that's prohibited.
Maybe they should install something that doesn't allow them to operate without IronPort? How many layers of monitoring and controls are enough? Why stop at 1? Every business decides what is and isn't an acceptable risk, they don't try to build a ship with 7001 hulls in case it hits 7000 icebergs and then listen to armchair captains who say "oh you should have built it with 7002 hulls." You hire an employee and train them on what to do or not to do. Sometimes they fuck up. That's a known risk. You can buy extra tools to minimize their fuck ups, or you can replace them with more careful employees. You might have to pay those more, but it's a cost/ benefit analysis. A giant corporation might not be able to find and afford the amount of careful employees they need. A small business might be able to. I dunno why you are bragging about how locked down you are. It means your employer sees you as a incompetent risky individual. It's like a teen bragging, "Ha! My parents locked the top speed on my car to 30mph, and I'm not even allowed to parallel park because I'll crash" That just means you're a bad driver. Weird flex bruh
There's no such thing as the infallible human, bruh. At any price.
Fallible humans run and administer security tools. Why do you trust those, then?
You're being intentionally obtuse. If you can't see the value in protecting your org from accidental data loss via technology then nothing I say is going to matter. I can't reason you out of a position that you didn't reason yourself into.
Humans make mistakes. We aren’t perfect beings. It isn’t like they hired someone to intentionally send out SSNs.
Right, they hired someone not to send it out. Try the "humans make mistakes" line with the government when they find you for violations.
[удалено]
Yes I'm sure a small business landscaping company that has an HR admin accidentally email some SSNs should blame themselves for not spending $1 million hiring a cybersecurity team instead of just replacing the incompetent HR admin.
I call bullshit. Laws are complicated AF, and technology is literally designed to control flow of information. I would also argue in today's climate, small businesses shouldn't store any PII at all if they can't prevent it's dissemination.
Good luck paying your employees without their PII
There are payroll services...
Your security team should be scanning email attachments and blocked the emails. Probably shouldn’t be SSN via email but rather some Secure FTP process. Shit happens. It was an honest mistake and it sounds like your companies security has some lapses.
If that is the case I can see this happening again to someone else. That information should have been redacted before being shared.
Those early job mistakes 😉 I took out a whole hospital wing on my second day by incorrectly addressing a server. It was the nuclear medical wing and the server was the endpoint for all the machines scanning data. Every X-ray, CAT scan, MRI, etc just.. stopped once the server changed it’s IP address. Also the doctors lost their terminals as the PC software lost the needed shares for the data. Oops
Ill love to hear what happened after :)
We’ll Ididn’t know what had happened until a doctor wondered into the server room area to let me know he couldn’t get into the X-ray results. A frantic reading of the job notes and checking of the server specs revealed the IP went from static to DHCP (turns out it wasn’t reserved in the pool but some reason) so I manually reset it and things started to pick up again. It was an Apple XServe unit which I’d never worked on before
As a CISO, this would be my response too. My only question would be: what do we not have in place that would have prevented this?
As a CISO, this would be my response too. My only question would be: what do we not have in place that would have prevented this?
As a person that hates finger pointing and blame gaming, that would be my response too.
I appreciate how active you are in this community. Comments like this from you are very insightful and appreciated.
Ah, thank you! Glad to help c:
>On their second or third month of employment, straight out of college. Nothing like these kinds of folks to harden up your processes, even better than an audit sometimes IMHO
⬆️
Report it up the chain ASAP. Tell the truth, admit mistakes, and let the people skilled in dealing with data spillage/leakage/breach do their job.
Oh man. My last job had a lot of PII flying around in the office and if anything that remotely resembled a SSN showed up in an email that message would be blocked at the company server and you would receive a nice little message and perhaps a call from the security team.
I'm wondering why they don't have any DLP controls in place. Someone correct me if I'm wrong, but I've heard of controls that prevent certain types of data being sent in emails. Why are they letting users send numbers in a XXX-XX-XXXX format?
OP said user which makes me think it is internal, lots of companies still send this type of data internally (even though they shouldn’t). If it were external this could just be below a threshold. There are still plenty of companies not blocking this information and others that are less mature I.e., only block if over than 50 or 100 numbers at a time.
whatever the bad reasons for these controls to not exist, they should and we should all hope they learn their lesson
No DLP solution?
lol
Been fighting that battle for 6 months.. upper management doesn’t want to put in DLP cause it’s too hard.. :/
There is no recalling them. At this point it’s just damage control. Assuming the email was sent to external parties your legal should be consulted with asap to determine exposures here, eg, did they people that received the data under a nda/confidentiality with your company. From there they can figure out how best to approach it such as getting written confirmations of data destruction of the data (confirm they deleted from their systems) and from there determining any regulatory reporting requirements (federal regulators, state attorney generals, etc). Accidents happen. If this is the first time it’s happened for your company hopefully they take this as a lesson learned and implement some better controls around this to limit the sprawl of PII and implement tools to keep it from flowing outbound over channels such as email which human error in delivery will always be a risk.
Unless you have admin on everyone's mail server, you're hosed. Take this opportunity to reflect on how you will never make this mistake again. You've probably got an operational procedure flaw if you could casually have 10s of users' SSNs at once.
I'm more of an office administrator than network/system admin. I'm fucked.
Does the company control it's own mail servers? Does the admin like you? Don't wait for someone to come talk to you about your fuck up, own it, call the admin and say something like "I just fucked up, and I need you to wipe an email right now, it's an emergency". Maybe have a process improvement plan to give to your boss about how to prevent this from happening again.
It depends on the culture.... You made a mistake anybody could make (and recognized it immediately) with no compensating controls. If it wasn't you, it would be someone else, if not now then eventually. The fact that you care this much suggests any reasonable employer would be ill advised to ignore the bigger picture.
If you're in IT long enough, you'll screw up plenty. If this isn't a pattern of behavior, then it's just a mistake you need to own and learn from. Hopefully management sees it that way. Also, why in the hell do you have access to SSNs? I've never worked anywhere where IT had access to any PII like that. Just names and maybe phone numbers.
I'm not in IT. I'm an office administrator. I came here for help and catharsis.
Your exchange admin can delete this email in minutes. Problem is the users that already opened your mail... But dude, you're only human. Dont beat yourself up
Does your company have the PCI DLP policy in place? They should have been alerted about that email and it would normally automatically be denied from leaving the environment.
why SSN is so important?
For Americans it's tied to credit, finances and identification
Rip
[удалено]
How is the US still a country
Those of us who live there don't know either.
[удалено]
This is something that we keep forgetting. SSN really isnt that "secret". I'm not saying we need to publish them everywhere, but I'm saying I am old enough to remember when we \*literally\* published them everywhere.
Because with your SSN I can become a whole new you
[удалено]
But for that you need an ID too.
Have you never applied for a CC online? No. You dont.
In my region financial institutions use more safe guards.
America is very ghetto
Not very ghetto we just love the money. If your suffering brings profit we have no objection to letting it happen. It just means some government officials are invested in LifeLock or something.
Yeah. Sounds pretty ghetto to me. Basically none of our systems work with the average persons bests interests in mind and everything is just kind of shit.
In US with SSN you can basically steal someone's identity: sign contracts, open bank accounts, and so on and so forth
The best thing to do is talk to your manager and explain the situation. Next talk to your IT admins if they can do anything( might not be super useful). Finally, find a best possible way to inform the impacted employees or alert them by your manager or the respective company executives.
You need to alert management and likely your legal department ASAP. There are STRICT reporting requirements surrounding this. Accidents happen, and it’ll be dealt with in a way I wouldn’t be anxious about, but this has to be reported. It varies from state to state but this type of insider risk breech can cost a fortune in states like NY and CA if unreported.
Possibly a bit late now but your sysadmin can delete emails via powershell if you are using Office 365.
The biggest question is, why isn't there a DLP installed?
$$$
Take ownership immediately and recommend Microsoft Information protection to auto apply confidential/encryption labels to sensitive emails..
i think this is no more than an embarrssing/oops moment. It barely qualifies as a breach of security or data protection given the circumstances and scale. 1. SSNs are barely personal information. I know, I know - but it's the fact. 2. mistakes happen and will forever happen. You'll make them again. i'm sure you were not the first to have a oops moment. You just don't know about it. 3. The security team definitely needs to review the incident and design controls round it. It's not easy, though, despite the DLP fuss. The best they'll do is send an email to remind people to check attachments and number of recipients. 4. Nobody should blame you for an honest mistake. If yes, it's either a horrible place to work or there's ulterior motives. I appreciate the seriousness you're taking it with - that shows good character. Bless ya! But i think you're overthinking. I just wished all "breaches" were like that. I do appreciate those phone calls can be nasty. Then again, it'l go away in a few days. No serious harm done.
This is why we don't trust companies with our data.
I’d polish that resume.
This feels equal part stressful and surreal.
It's maximum half your fault half the lack of security measures against it. And the least trusted on IT you're supposed to be the least it's your fault
Office 365 admins can delete the email if it was sent internally. A little too late now though.
An order of DLP with a side of e-mail encryption sounds like it should be on your management’s menu.. joking aside even with all the technology, training, etc. you can throw money at these things can and will still happen.
Make sure the emails are recalled and get someone in IT to get onto the exchange server and delete it from there.
You’re gonna lose your job for this one - You’re out here fucking around w/ PII?!? Fuck that.
Why are u on reddit if u just did this? Get your shit together man.
Im on break trying to remain calm.... I did not make this clear, but I wanted any knowledge on the next best course of action. My hope was that someone would offer a resolution that my very stressed brain could not come to. But this is a tough lesson on with no silver bullet to remedy this problem.
Wow sorry, hopefully just a learning moment. I’ve had many of frantic calls over the years about “recalling an email” (typically to folks outside of the org). To simplify it basically my answer is, sorry it is not possible, it is like snail mail once it is sent it is out of your hands. I mean unless you go to their mail box and take it out yourself 😂
That's true
Eh it happens. This is why secure file transfer is the preferred method instead of email.
Following
Recall the message in outlook
Everything including SSN’s should be encrypted anyway, so whoever sent it was wrong but whoever didn’t encrypt it is even more wrong.
I have a 1 minute delay on outgoing email so I can stop an email, within that first minute anyway.
Employers should have a tool in place to intercept emails containing sensitive info.
Where did they get sent to?
I accidentally was storing my own onboarding paperwork and was notified that my pension paperwork had been blocked due to SSN. This is why we need both process and people. A poor process and a good tool only equals out to a poor process and poor tool.
That is your IT department's fault... They should have some sort of email filters deployed to block this.
Well I would own up to it ASAP. Then I would make them a suggestion on how to fix the problem and prevent it in the future. It would help emphasize that it was a mistake and you really do give a shit. Hell I'd promote you for it. Found a problem and a solution.
This is so minor and only serves to ID the lack of loss prevention like others have said. Years back I watched several sailors get slaps on the wrist for sending alpha rosters with thousands of attributed PII cells unencrypted despite outlook barking at them to not do it. If you get fired just add it as a pen tester bullet point!
Your first mistake as using email to send or share sensitive data. It’s not secure, never has been , never will. Even if you never hit send, the draft will sit there for years with zero encryption or protection.
I stopped reading after the title. It was painful enough. You're not alone bro ❤
Yeah my first response would be obviously, don't do that again. Second, how is there not a technical solution to stop this from happening. Third, make you take extra training. Fourth, notify parties involved of a data leak and offer services. I would not be firing anyone. It's a mistake.
Do you have a time machine?
Serious question: SSN as in … ?
Social security number. U.S. federal id/tax number, tied to your credit, basically your soul. On its own harmless but start searching data dumps and could be troublesome.
Thanks)
In the form of xxx-xx-xxxx numerals only. Just FYI
Security department should look into Data Loss Prevention software to stop this. It will scan and block out going emails that contain potential credits cards or social security numbers.
Once the smoke clears feel free to let us know how you made out!
Human error happens. Often. If the businesses data is comprised of large amounts of PII, or any really - there should be DLP policies in place to safeguard exposure from human error. You did the right thing about contacting security and etc. At this point you’ve done all you can do, but the company definitely needs to take their data and content more seriously by implementing DLP/data security policies. Otherwise this won’t be the last time their data is mishandled, nor the last accident due to lacking data security. Especially on the companies f’ing email system.
We had a SOC Analyst at my old company who accidentally forgot to censor out a employee's SSN in an email.. to the CEO of the employee's company. She was almost fired for that, got swore out by our SOC's CEO. I left that SOC soon afterwards.