Excel's dirty little secret

Microsoft Excel, the predominant spreadsheet in use today, contains a feature that could expose sensitive corporate data once the document is distributed within a company or among trading partners.

That feature is drawing an increased level of attention from researchers and Excel users alike as its implications become more fully understood. One expert calls it "as potentially damaging" as many of the most recent viruses.

Excel has features that allow spreadsheet creators to hide, lock and/or password-protect data and mathematical calculations used in original documents. These features seemingly provide a measure of data security to conceal specified data from prying eyes.

In reality, that data can be exposed by any end user who can execute a simple copy-and-paste procedure. It takes fewer steps to reverse the security than it does to set it up.

When Excel data is copied using the "copy all" command and pasted into a new spreadsheet, it exposes the hidden and password-protected cells, which may contain data such as employee salaries, return-on-investment or expense report calculations, or request-for-proposal formulas. Excel users must execute an "unhide" command in Excel before they see the previously protected data in the spreadsheet copy, but in non-Microsoft spreadsheets the hidden cells are automatically revealed.

Unless access to the document is locked down, Excel cannot protect any information, although the program gives the illusion that it can, critics say.

The result for large corporations is that millions of Excel documents shared between co-workers and business partners could become a security breach for confidential data.

"I thought there was some security. I had no idea," says Jeff Ostroff, the owner of a Web site that offers car-buying tips and free spreadsheets designed to calculate deals. Ostroff's site states that password protection is used on Excel so viewers cannot manipulate or hijack his formulas. "I'm surprised it is that easy to expose the data," he adds.

Ostroff believes that 99% of users don't know the secret. "We get requests for the passwords all the time from people who want to change the formulas."

Some say the issue creates a major security concern.

"The method of password-protecting data in Excel is something companies around the world rely on," says Rick Sturm, president of Enterprise Management Associates (EMA), a consulting and research firm that encountered the security hole when it was creating spreadsheets to share with clients. "This is like putting a password on a document while also supplying a Post-It Note revealing the password. It's as potentially damaging as some of these recent viruses that have spread around the world."

A simple example, according to EMA researchers, is that a user could copy and paste an expense report to another spreadsheet as a way to expose a password-protected mileage calculation formula. The mileage reimbursement figure could be increased from .31 to .81. The user would then save the document with the same name as the original and send it back, even password-protecting the new formula.

Microsoft officials say the ability to password-protect and hide data is not a "security" feature but a "display" feature. That means that while creators of spreadsheets can hide data from display, or protect it from manipulation on the original document, they cannot safeguard or secure it from view or manipulation if another user copies and pastes the data.

Experts say perception is the critical factor.

"The key question is what does the typical Excel user expect," says Richard Smith, an independent Internet Security and Privacy consultant and former CTO of the Privacy Foundation.

"The user is led to believe you get some level of security," Smith says. "People's expectations of the feature are different from Microsoft's. It's a classic overselling of a feature and when issues are revealed Microsoft backtracks. How are customers supposed to read Microsoft's mind?"

Many have not, but Microsoft officials say Excel is no way to safeguard data.

"If you give someone read access to an unencrypted file, there is really no way to protect the data," says Jeanne Sheldon, director of engineering services for Microsoft Office. "If you are trying to protect data this is not the way to do it."

Microsoft suggests a relational database for that level of security. However, Sheldon says Microsoft will clarify the intended use and limitations of hidden and password features in the next version of Excel, which likely won't ship until 2003.

"There is little awareness in the public on this because Microsoft appears to uphold the password protection [in the original document], creating an illusion of security when in fact there is none," says Ned Endler, EMA's IT manager. He says it is clear that people are making security assumptions based on the words "password" and "hidden" and the online help menus within Excel that say data is "protected" and can't be "unhidden."

Endler cites the U.S. Department of Agriculture's Web site, which includes a set of guidelines for producing secure documents that includes the method for securing Excel documents that is foiled by the technique.

"It's a disservice because of the ambiguity for the average user," Endler says.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Fontana

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?