Exposing Excel's Dirty Little Secret

Microsoft Excel, the predominant spreadsheet in use today, contains a feature that could expose sensitive corporate data once the document is distributed within a company or among trading partners.

That feature is drawing an increased level of attention from researchers and Excel users alike as its implications become more fully understood. One expert calls it "as potentially damaging" as many of the most recent viruses.

Excel has features that allow spreadsheet creators to hide, lock, and/or password-protect data and mathematical calculations used in original documents. These features seemingly provide a measure of data security to conceal specified data from prying eyes.

In reality, that data can be exposed by any end user who can execute a simple copy-and-paste procedure. It takes fewer steps to reverse the security than it does to set it up.

When Excel data is copied using the "copy all" command and pasted into a new spreadsheet, it exposes the hidden and password-protected cells, which may contain data such as employee salaries, return-on-investment or expense report calculations, or request-for-proposal formulas. Excel users must execute an "unhide" command in Excel before they see the previously protected data in the spreadsheet copy, but in non-Microsoft spreadsheets the hidden cells are automatically revealed.

Only an Illusion

Unless access to the document is locked down, Excel cannot protect any information, although the program gives the illusion that it can, critics say.

The result for large corporations is that millions of Excel documents shared between co-workers and business partners could become a security breach for confidential data.

"I thought there was some security. I had no idea," says Jeff Ostroff, the owner of a Web site that offers car-buying tips and free spreadsheets designed to calculate deals. Ostroff's site states that password protection is used on Excel so viewers cannot manipulate or hijack his formulas. "I'm surprised it is that easy to expose the data," he adds.

Ostroff believes that 99 percent of users don't know the secret. "We get requests for the passwords all the time from people who want to change the formulas."

Some say the issue creates a major security concern.

"The method of password-protecting data in Excel is something companies around the world rely on," says Rick Sturm, president of Enterprise Management Associates, a consulting and research firm that encountered the security hole when it was creating spreadsheets to share with clients. "This is like putting a password on a document while also supplying a Post-It Note revealing the password. It's as potentially damaging as some of these recent viruses that have spread around the world."

A simple example, according to EMA researchers, is that a user could copy and paste an expense report to another spreadsheet as a way to expose a password-protected mileage calculation formula. The mileage reimbursement figure could be increased from .31 to .81. The user would then save the document with the same name as the original and send it back, even password-protecting the new formula.

Display Only

Microsoft officials say the ability to password-protect and hide data is not a "security" feature but a "display" feature. That means that while creators of spreadsheets can hide data from display, or protect it from manipulation on the original document, they cannot safeguard or secure it from view or manipulation if another user copies and pastes the data

Experts say perception is the critical factor.

"The key question is what does the typical Excel user expect," says Richard Smith, an independent Internet security and privacy consultant and former chief technology officer of the Privacy Foundation.

"The user is led to believe you get some level of security," Smith says. "People's expectations of the feature are different from Microsoft's. It's a classic overselling of a feature and when issues are revealed Microsoft backtracks. How are customers supposed to read Microsoft's mind?"

Many have not, but Microsoft officials say Excel is no way to safeguard data.

"If you give someone read access to an unencrypted file, there is really no way to protect the data," says Jeanne Sheldon, director of engineering services for Microsoft Office. "If you are trying to protect data this is not the way to do it."

Microsoft suggests a relational database for that level of security. However, Sheldon says Microsoft will clarify the intended use and limitations of hidden and password features in the next version of Excel, which likely won't ship until 2003.