Are you accidentally leaking confidential data using Excel?
By Daniela Cooper, on 24 November 2017
When thinking about what you need to consider about information security when using Excel, the common ones are probably:
- keeping Excel patched and up-to-date,
- not accidentally sending confidential information in an Excel spreadsheet to someone who shouldn’t have access to that information.
Do those considerations extend to being mindful of what information is contained within a vlookup range?
It turns out that Excel caches the information held in a vlookup range, thus making that information available to the spreadsheet where it has been referenced, even when the original information is deleted.
The following page explains it better than I can:
I cannot find anywhere that Microsoft warns its users that this happens and to be careful not to accidentally leak confidential information in this way.
The ICO (Information Commissioners Office) have fined organisations for leaking confidential information is this way, one organisation was fined £185K. The ICO have written a good guide on ‘How to disclose information safely’:
The only advice we can offer is, if you are sharing information in a spreadsheet that uses vlookups:
- save the file as .csv, this format does not support features such as vlookup.
- Export the information to a pdf.
A couple of other considerations:
- When using filters in Excel, don’t forget that others can change those filters and have access to the full information.
- When sending Excel spreadsheets that contain confidential information, password protect them and give the password by phone not email. Password protected Excel files are encrypted using AES 128-bit encryption, just remember to use a good password with upper-case and lower-case characters, numbers and symbols.
Updated to include guidance from the ICO.