I’m not sure where to put it as this is not exactly a technical issue… Please consider the following:
• Users (role ‘customer’) have access to Zammads web UI.
• Some customer creates a ticket via e-mail and they are cc’ing someone else (3rd party, employee).
• For whatever reason that 3rd party replies to that e-mail (reply to all) but deletes the ticket owner (in this case, the customer)—so their e-mail is only sent to Zammad.
While the ticket owner/customer wouldn’t get an e-mail with that answer, they can still see that answer when they login to Zammad (web interface).
I hope you’re understanding what I’m trying to explain. While I think this situation wouldn’t appear often, I can tell you that it happened with one of my customers and their employees.
The employee replied to the ticket (to: Zammad) with some personal information. They did not include the ticket owner/their CEO in ‘to’ neither ‘cc’/‘bcc’ but they (ticket owner/CEO) would still be possible to see that answer within Zammad web interface.
Our DPO means that this should not be the case.
I can’t think of a solution—except for having a trigger welcoming CC’ed ‘users’/addresses (which doesn’t seem to be possible at the moment).
Do you have any ideas/statements regarding this situation?
This smells like shared organization being enabled for the organization in question.
Because: If I understood correctly, the CEO of the company was not in CC and thus has nothing to two with the second created ticket, but is member of the same organization.
Please note that shared organization have a great potential for data security issues (and are set to “yes” by default upon creation).
Not exactly, but maybe I misunderstood the issue. I’ve tested Zammad’s behaviour and came to the conclusion, that the 3rd party must have done the following:
• They clicked on ‘reply’ or ‘reply all’ on an e-mail they have been CC’ed from Zammad
• They deleted the original ‘to:’ (i.e. the former ‘from:’, customer/ticket owner)
• They put in the address from Zammad into the ‘to:’-field and left all other fields (CC/BCC) blank
Zammad would then add that e-mail to the existing ticket because of the (invisible) header—and thus, the ticket owner could see the answer.
I don’t think there could be a way to implement a ‘solution’ to this, and I understand if you think (as I do, know) almost no one would work with e-mail this way—but obviously, someone did.
So I’ll leave this here for discussion and consideration.