Forum menu
Just testing the water with the IT geeks out there who might know.....
How effectively does MS Outlook recall work? Specifically when the emails are being sent outside of the organisation to a range of different email accounts (gmails, iclouds, yahoos, company emails etc)
We were on holiday last week and in my wife's absence her line manager (company director/part owner) sent an email out to a very (1500) large number of people but did it such a way that all contact information was viewable to all recipients (something to do with a limit of 100 from a Bcc). She went into my wife's account(directors have full access to all employee's email accounts and go in frequently) and did it from my wife's email address so it looks like she made the error. The people on this email really [u]really[/u] should not be able to see who else was sent information. They sent a recall about an hour later when they realised what they had done.
Walking into work this morning to a bombard of complaint emails Mrs C was mortified. It's an industry where your reputation is built on your ability to work confidentially and the email list included personal friends as well as just about everybody who is everybody. She thinks her personal reputation is in tatters. I fear she might be right.
She wants, nay demanded, that the company director that used her email address sent out a communication making it clear that it was not Mrs C's error but so far they are refusing as they are trying to get to bottom of how many emails got recalled before being read (can you do this?) and don't want to highlight the problem to people who didn't notice? I think the other reason is the director is pretty teflon and clearing Mrs C would mean implicating herself. My wife was all up for resigning and walking away from them (this was a final straw) but appreciates they will just ensure it looks like it was her fault if she does. Currently considering her next steps, getting a lawyer involved etc. Future at the firm is not the issue - getting away with a reputation to get another job is more the motivation.
So how effective is an outlook recall? My wife's personal email address was on the list and she got it. 50% of her friends she's checked with did too.
The recall only works (and only if not opened) for mailboxes on the senders Exchange Farm so completely ineffective.
My experience of people recalling Outlook emails from other organisations is that all it does is send you a lovely email that says that the sender would like to recall a previous email. Which of course one then reads fully to try and find out what was wrong in it.
Once it has left the Exchange server that your mailbox is on it is effectively gone. And once it is outside your organisation it is gone for good.
My experience of people recalling Outlook emails from other organisations is that all it does is send you a lovely email that says that the sender would like to recall a previous email. Which of course one then reads fully to try and find out what was wrong in it.
Got to confess this is mine too.
Which of course one then reads fully to try and find out what was wrong in it.
+another
In my experience; not very effective at all.
some reasons why from Microsoft
Message recall is not successful if one or more of the following conditions are true:
The recipient is not using Outlook.
The recipient is not logged on to the mail service provider.
The recipient is using Cached Exchange Mode and is working offline.
The original message is moved from the Inbox. This can occur when rules are used.
The original message is opened first and marked as read. This can occur when the message is displayed in the Preview Pane or Reading Pane.
But when you say all contact info, do you mean all or just an email address?
If your wife was away then surely she has an alibi in the event of a tribunal. If a friend has the original email the header may contain origination information showing where it was sent from. If your wife wasn't physically at work then she has a leg to stand on. If it was sent from Outlook Web App by the director then this should be traceable too on the exchange server.
Personally I think the director should come up with a bloody good excuse for the cock up and apologise to those who received the email. If not then the evidence will be available from one of the 1500 people contacted and whoever
looks after the exchange server.
they are refusing as they are trying to get to bottom of how many emails got recalled before being read (can you do this?)
Providing that a read receipt is setup and displayed and clicked on by the recipient, yes.
But when you say all contact info, do you mean all or just an email address?
I do. But the issue (which I don't want to elaborate on for obvious reasons) is that your email address being on the list makes an implication you may rather not want other people making of you (professionally).
some more here, down at the bottom; https://support.office.com/en-gb/article/Recall-or-replace-an-email-message-that-you-sent-35027f88-d655-4554-b4f8-6c0729a723a0?ui=en-US&rs=en-GB&ad=GB&fromAR=1
I do. But the issue (which I don't want to elaborate on for obvious reasons) is that your email address being on the list makes an implication you may rather not want other people making of you (professionally).
Recruitment agent then.
Or escort agency ๐
As everyone has said, the recall is completely ineffective, the only time it can even be remotely useful is if everyone is on the same domain and exchange server and you recall almost immediately.
The horse has truely bolted and them saying they are trying to understand who saw it is just wasting time/avoiding responsibility.
Legally speaking I have no idea where your wife stands. I am not sure if there is anything that can be done regarding the misuse of her computer accounts (company directors or not).
Depending on the industry an Ombudsmon of some sort might be interested in how this data was mishandled?
If she were to pursue this legally I would recommend gathering all evidence and speaking to a union rep (if she is a member). It is likely that any case would hindge upon proving someone else accessed her accounts (if the boss won't cough to it); but gathering forensics from her work machine from a hostile employer without their permission might be difficult...
In many organisations sending an email using someone else's account would be a very serious transgression.
Teflon tends to be scoured off by gross misconduct. Disclosing data, using another's account without express permission and there's probably more. If the organisation has DMARC set up then the sending machine IP address will be disclosed in the header. If this shows an office based machine then Mrs Convert is in the clear and Mrs director is screwed and needs to polish her CV.
As a follow on, if the directors have access to everyone's mailboxes none of the employees can be held responsible for any email sent.
The employee simply points out that a number of people have access to the account and repudiates the email.
This is one of the reasons that we urge people not to share accounts in this way.
It might be amusing to send an email to the recipients pointing out the director had sent the original email - then denying having sent the email.
It might be amusing to send an email to the recipients pointing out the director had sent the original email - then denying having sent the email.
I had considered that! Yes, I was always very dubious of their email culture and the expectation to share passwords with directors (or rather they are given passwords and not given the ability to change them). Small company with rubbish policies syndrome (and employees without the balls/confidence/job security) to point out it was wrong.
As others have said a recall outside of Exchange Server simply sends you another message highlighting a cock up! There will be no way to tell how many of those messages were actually deleted and how many were opened.
The email addresses of the recipients are personal data (within the Data Protection Act), however if as your post suggest the data imply something which might have a significant effect or the person then you are into "sensitive personal data" territory. The ICO expects people handling such information to have suitable safeguards in place. That would include generally not giving Directors free reign to send on behalf of others.
The ICO expects you to deal with complaints quickly, and also to have plans in place to respond promptly to any data breach. Waiting to see how many complaints you get is neither good "customer" service nor the right way to respond. The breach has happened even to people who don't complain and they have a right to expect to be informed. If a data subject isn't satisfied with how the data controller responds they can complain to the ICO, case law has now established they can now claim for damages too.
If the implications of the breach are as bad as it sounds then (1) I'm not convinced email address books is the right place to store the information and mail out to all users as mistakes happen; (2) if someone thinks it is worth having a no >100 Bcc's rule then I think it is also worth adding a rule to maximum number of to/cc's as well (probably about 20-30 before you should automatically be raising your eyebrows). Its even worse that this person intentionally added them rather when the Bcc limit gave them a moment to pause and think.
I think your wife is quite right to expect a "public" correction / apology that clearly says it wasn't her behind the email (as well as fixing the issues).
^^ what poly said.
Thanks Poly - very comprehensive response.
The data is not held in address books but rather on a firm wide database. Harvesting the information and exporting out to an email ties up the computer and the user's access to the database for a lengthy period (half an hour or so) so I think she used my wife's account and computer to keep her's free to continue to work on. Whatever, not good.
If your wife has union membership, or legal cover on house insurance, I would speak to them ASAP. I would also be doing everything through email or meetings with union rep or colleague present, and full notes taken.
The company and director have blown it. Blame and processes can happen in future.
Your wife however may be able to salvage something of reputation, however if she cannot then some suitable recompense is due.
As they're finding out - Outlook isn't really the right tool for this. At a push they should be doing a mail merge rather than cramming the addresses into the bcc.
Even on the same exchange server, once read, the message rarely disappears...
In many organisations sending an email using someone else's account would be a very serious transgression.
This is the nub of the issue. Using another employee's account is a complete no-no in any organisation with a proper IT security policy, exactly because of this sort of situation. You still see it happening sometimes, typically with senior execs who hand over management of their email account to a PA.
[i]If[/i] your wife's employer has a properly written IT policy, the line manager's actions should be a clear breach, and responsibility will be an open and shut case. Of course, taking on the owner/director, if they are refusing to step up and admit their error, is not going to be very easy.
The recall is pointless. They need to assume that everyone still has access to the email.
Using a shared email from a generic address is not uncommon but having access to a named email account is odd imo. Sometimes I see a sent on behalf on the bottom but in everywhere I have worked using someones account email is a no no... Every so often information is sent to the wrong people and someone is out the door.
The company should be sending out a mass email (but not in a crap way) apologizing for the previous communication citing whatever failure they decide is appropriate. Well this should have been done at the point of recall but they can at least try to salvage something but I would guess the only thing left is to make a scapegoat out of someone and publicly push them out. Hopefully not your wife.
Has she at least changed her password (and refused to give it out) to stop someone doing it again?
Makes no difference if they have permission to her mailbox.Has she at least changed her password (and refused to give it out) to stop someone doing it again?
convert I dare say many people here would be able to advise on better ways (or at the very least a more efficient export - it should take seconds!). However whilst a convoluted route to extract the emails is perhaps better than the main address book, obscurity is not the same as security. The proper solution does not involve the user ever having a big list of email addresses in a file which they can (ab)use, but has a tool that says 'send this message to all users [flagged as xyz]' and then the back end does the work.The data is not held in address books but rather on a firm wide database. Harvesting the information and exporting out to an email ties up the computer and the user's access to the database for a lengthy period (half an hour or so) so I think she used my wife's account and computer to keep her's free to continue to work on. Whatever, not good.
On a more practical note....
if the boss is refusing to do it, whats to stop your wife from emailing everyone apologizing, and explaining that (whilst she was on holiday) one of her colleagues accessed her account and sent out the offending mail? No need to point the finger.... but stating that she was on holiday, makes it clear to all that it wasn't her cock-up.
It's one thing for the boss to refuse to step up and accept personal responsibility, and quite another to prevent your wife from sending one.
I would probably give her boss a deadline - after which she will send the email herself.
Yep what batfink says, give them the deadline and as said above there are tools to send on behalf of, people can have access to your mailbox properly as but the audit trail remains.
Unless it's a great place to work (doesn't sound like it) a further ultimatum about change in practices, investigation as to how such a breach/screw up occured (formally) and policies as to how to stop it happening again along with a formal public apology would be the minimum I'd be looking for.
If she is planning to leave then a full summary to be prepared to be submitted to relevant ombudsman including things like all management having the passwords to all accounts and details of what happened and why. If nothing happens send it regardless.
I'd be making sure a copy of the list of names falls into my bag at the end of the day too. Print it out. Just in case this situation goes horribly wrong. And the email.
Auditing is there as long as it is turned on, it (Exchange) has been told what to audit, and how long to retain it. So don't rely on it. I also like the word "hostile" used above to describe the person guarding it. A fair assessment of mail administrators when they are questioned in my experience (assuming this company even has one).
I would be seeking professional advice if there is reputational damage.
Did she have an Out of Office turned on - the complainers would have got that at least.
Ugh what a horrible IT policy, smacks of Directors being control freaks and not trusting their employees. Your wife has every right to demand a public apology, I'd also say they need to agree to review their policies around this to ensure such a situation doesn't reoccur (at least without it being due to gross misconduct), doesn't seem like that's likely to happen though in this case.
Update.
Legal advice being sought as we are both unhappy with the steps that have been taken have been done in such a way to protect my wife's reputation. In fact opportunities have been deliberately missed with complainants to not make clear the apparent sender of the email was not responsible or even at work at the time. Some junior looks like they are going to carry the can and the director get off with nothing.
Regarding logins and passwords in a business.... Has anyone (especially all you IT types that seem to lurk here) worked for an organisation where employees have been instructed to inform 'admin' of their new password(s) when they change it? I've taken advice from the IT bods where I work and they find it unfathomable. Yesterday (in light of what happened last week) all employees have been emailed and told to change their passwords but then email the new ones to a member of admin who with collate them and save them in a password protected file which only member of senior management can access. That sounds inept, paranoid and controlling and all kinds of wrong to me. And as stated above it would surely be almost impossible to pin malpractice on anyone as they could always claim that others had access to their accounts so it is unprovable. I sure as hell would not want to be that member of admin with access to all that information.
Poor Mrs C, this has really effected her both through worry for her reputation and lack of trust for her present employer. About one step from a bit of breakdown I fear. She knows she has enough info to whip up a world of legal pain for the director and firm but knows doing so will also mean she is unlikely to work in the profession again. And non of it was her fault.
Sounds awful.
My previous employer had a policy that using someone else's account was grounds for dismissal.
She knows she has enough info to whip up a world of legal pain for the director and firm but knows doing so will also mean she is unlikely to work in the profession again.
I'd say that she is due a very large payout from an employment tribunal for reputation damage.
Has anyone (especially all you IT types that seem to lurk here) worked for an organisation where employees have been instructed to inform 'admin' of their new password(s) when they change it?
Seriously? A copy of that instruction would help Mrs C's case.
Regarding logins and passwords in a business.... Has anyone (especially all you IT types that seem to lurk here) worked for an organisation where employees have been instructed to inform 'admin' of their new password(s) when they change it?
WTF?
As "admin" I can log into your account without password whenever I want, why would I need your password? This goes for just about any OS under the sun. Sounds like those IT people are just incompetent.
As xora says, why would admin need your password anyway? I can change any user's password and I can access their document share (though bot emails) without even doing that. Of course what it allows "senior management" to do is use anyone's account without their knowledge.
Has anyone (especially all you IT types that seem to lurk here) worked for an organisation where employees have been instructed to inform 'admin' of their new password(s) when they change it?
I have, and I've fought tooth and nail against it. One of the branches at a previous employer did this, their logic was that "someone else can use their workstation if they're away." They were oblivious to the notion that they were network passwords and anyone can log in anywhere. (For added lols, the password list was securely held in an unlocked desk drawer.)
In the rare cases where it's actually necessary to log in as someone else, their passwords can be reset by the systems admin. If people need access to others' emails (eg, a PA to a director sending mail on their behalf) then rights can be delegated to those users.
If your password is known by *anyone* else you no longer have any accountability, and that's a Bad Thing. Someone gets caught surfing for porn on their lunch hour, "oh, it wasn't me, could be anyone who's seen the password list."
Yes, last two places, the IT dept (one was an external supplier) asked for passwords. I resisted, but was told to tell them. Just seemed totally wrong, but I wasn't IT so had to do as was told.
I sure as hell would not want to be that member of admin with access to all that information.
On a point of order, when I was in IT I always instructed people *not* to tell me their password (usually before they blurted it out unprompted but not always). I don't need it, and I absolutely don't want it. I don't want the finger of suspicion when you do something stupid tomorrow. If I need to monitor, say, Internet activity or emails then I'd do that serverside where access control is tightly controlled and readily visible.
The policy we had is that if something is done in your name, you're culpable. Either you did it, or you were careless with your passwords and that's still your fault. A management policy demanding passwords undermines that. I can only assume / hope that it's born out of ignorance. If it were me in IT there I'd be asking why they felt they needed to do this and then if it was reasonable I'd give them what they needed in a proper, controlled fashion. "Password lists" are insane and there's absolutely no justifiable reason to do it.
Yes, last two places, the IT dept (one was an external supplier) asked for passwords. I resisted, but was told to tell them. Just seemed totally wrong, but I wasn't IT so had to do as was told.
I'd have refused, or given them a password and then changed it the next day.
In fact that's just reminded me, years back my non-technical boss kept demanding the master domain admin password. After a bit of to-ing and fro-ing with me getting busted for giving him dummy passwords, I wound up creating a new Admin account and revoking the rights on the Administrator account to turn it into a regular user with 'log on locally' rights to the server. He was happy with that, he tested the login to see that it worked but didn't actually try to do anything.
devash - Member
She knows she has enough info to whip up a world of legal pain for the director and firm but knows doing so will also mean she is unlikely to work in the profession again.
I'd say that she is due a very large payout from an employment tribunal for reputation damage.
Nope - not a chance. Tribunals only award for financial losses and there is no grounds for going to a tribunal here
Well maybe if she is in a position that she ends up forced to resign ( constructive dismissal) and is able to show the reputational damage has cost her further employment.
However from what we know I don't see this as a constructive dismissal at all
I think I would tell the director responsible that she needs to repair the damage to her reputation by sending a follow up email to the entire list stating it was not her who sent the email but someone else with access to her email and sod the bosses on that. If they sack her for that then a tribunal claim is much stronger.
Legal advice is a good step
Regarding logins and passwords in a business.... Has anyone (especially all you IT types that seem to lurk here) worked for an organisation where employees have been instructed to inform 'admin' of their new password(s) when they change it? I've taken advice from the IT bods where I work and they find it unfathomable. Yesterday (in light of what happened last week) all employees have been emailed and told to change their passwords but then email the new ones to a member of admin who with collate them and save them in a password protected file which only member of senior management can access. That sounds inept, paranoid and controlling and all kinds of wrong to me. And as stated above it would surely be almost impossible to pin malpractice on anyone as they could always claim that others had access to their accounts so it is unprovable. I sure as hell would not want to be that member of admin with access to all that information.
Managers who don't understand IT are inevitably lost in the modern world. They likely haven't demanded this because they MUST have it but because they haven't understood the alternatives. Unfortunately success in IT isn't always linked to your ability to communicate effectively with the business stakeholders and so the IT team are at least partly to blame. It sounds like the sort of thing that happens in SMEs where there isn't a real it person just 'bob' who likes computers and who made something is ms access once and so fell into it.
I don't know which industry she is in, but many of the more sensitive ones are much more enthusiastic about whistleblowers and those who stand up for doing things right than they used to be. I'd be surprised if the industry was so small it closed all doors. However, before she goes saying "none of this is my fault", I think there needs to be be a moment of reflection, it was forseable that security breaches will happen with the approach they were taking. Everyone has a duty to highlight security vulnerabilities which affect people's personal data. If she works in a sector where she could really be expected to suffer huge reputational damage for this, I'd think having knowingly allowed this sort of account sharing to go on reflects badly too. Its difficult to know how much the "industry" would blame her, without knowing the industry or the size of the company....but knows doing so will also mean she is unlikely to work in the profession again. And non of it was her fault.