Login

Promote Your Company       |     Contact

Independent Cyber News.

When Digital Names Collide, Business Risk Follows
In an era where trust is increasingly mediated by systems rather than people, ensuring that every digital identity maps cleanly to a real one is no longer optional. It is a prerequisite for doing business safely.
Identity & Access Management | Learning & Education | Risk Management
Posted: Wednesday, Jan 28

i 3 Table of Contents

When Digital Names Collide, Business Risk Follows
From Morey Haber

In corporate networks, a “collision” is usually associated with infrastructure failure: two devices sharing the same IP address, traffic misdirected, and ultimately a communications breaking down. However, a quieter and potentially more damaging form of collision is becoming increasingly common inside organisations: identity collisions.

Unlike their network equivalents, identity collisions do not announce themselves with outages or alerts but instead surface subtly. It might be an email sent to the wrong recipient, access rights granted to the wrong employee, or compliance reports that quietly misattribute activity. In the worst cases, sensitive information is disclosed because two people or machines appear interchangeable inside digital systems.

As organisations grow, digitise and automate, identity collisions are no longer edge-case anomalies. They are an operational risk that boards and executives can no longer afford to treat as an IT housekeeping issue.

How Identity Collisions Occur

At their simplest, identity collisions arise from a problem most organisations underestimate: people have the same names, initials, or combinations of both. As workforces expand and globalise, the probability of duplicate first-and-last-name combinations rises sharply. Common surnames amplify the risk.

Many organisations still rely on legacy naming conventions, such as first initials plus surnames, to create email addresses and system accounts. What works in a 50-person company quickly becomes unmanageable in a workforce of thousands.

Consider two employees named John Smith and Jane Smith. If an organisation uses a “first initial + surname” format, both logically map to the same identifier and thus user account name: “[email protected]”.

Even where technical systems enforce uniqueness by appending numbers or characters, the problem often persists at the human layer: address books, approval workflows and access requests frequently display names without sufficient context. The result is not just confusion, but systemic ambiguity. Employees selecting identities from drop-down menus or search results may unintentionally choose the wrong individual without additional context. This problem can lead to automated workflows misrouting approvals, access rights misasigned, or sensitive communications occurring inappropriately. Over time, these small errors compound into operational exposure and serious risk.

Why Similar Identities Create Real Risk

Identity collisions introduce three categories of risk that resonate far beyond IT departments:

First, there is operational inefficiency. Time is wasted correcting misrouted emails, reconciling audit discrepancies and resolving access errors. In highly regulated environments, these inefficiencies quickly become cost centres.

Second, there is compliance and forensic risk. Shared or overlapping identities undermine the reliability of logs and reports. When two individuals appear to be one, or one appears to be two, organisations lose the ability to confidently attest who did what and when. In the event of an investigation, this ambiguity can prove costly.

Third, and most critically, there is security risk as identity collisions create fertile ground for phishing, impersonation, and privilege misuse. A spoofed email address that closely resembles a legitimate one can be mistakenly trusted, forwarded or added to contact lists. Once embedded in daily workflows, these errors are difficult to detect and reverse.

Fixing the Problem at the Source

Despite their inevitability, identity collisions are largely preventable. The most effective controls are not complex, but they require discipline and consistency. Consider these recommendations

  • Clear and distinct naming conventions are a foundational step. Abbreviated or partial identifiers may appear convenient, but they dramatically increase collision probability. The cost of a byte compared to years past, or eight-character user account restrictions, does not warrant shortening a name to an initial to save storage space or cost.
  • Equally important is the elimination of shared accounts. While shared credentials may appear efficient for teams or roles, they obscure accountability and magnify the impact of collisions. In forensic scenarios, shared accounts make it virtually impossible to determine individual responsibility.
  • Account reuse is another silent hazard. Reassigning an old email address or username to a new employee or a boomerang employee (an employee that has left the organisation and returned to employment) may seem harmless, but it creates continuity risks that can be very difficult to reconcile.

Technology and Training Must Work Together

Modern identity security tools can play a critical role in detecting and mitigating collisions. These platforms map identities to accounts, analyse relationships across systems and highlight overlaps that introduce risk. When identity collisions occur in an environment, the results can be deeply flawed. This implies that technology alone is insufficient. Employees remain the final decision-makers in many workflows. Training programs must explicitly address identity awareness:

  • How to verify recipients when possible collisions exist (calling, texting, email, etc.)
  • Look at photos of individuals when selecting a contact
  • How to spot near-duplicate or similar addresses used in phishing campaigns
  • Thinking twice before sending sensitive information when the contact name has not been verified.

A Risk That Can Be Managed

Identity collisions are not new, and they are known by many names across the cybersecurity community: duplicate accounts, spoofed identities, mis-mapped credentials. What is changing is their scale and impact.

As organisations adopt cloud services, automate provisioning, and rely more heavily on digital trust, the margin for identity ambiguity shrinks. The cost of getting it wrong – reputationally, financially and legally – continues to rise.

Avoiding identity collisions requires more than technical fixes. It demands recognition at the leadership level that digital identity is a business asset, not merely an IT construct. Clear policies, consistent enforcement and ongoing oversight are essential. This may even mean revisiting username and accounts used for system access and email to avoid future conflicts.

In an era where trust is increasingly mediated by systems rather than people, ensuring that every digital identity maps cleanly to a real one is no longer optional. It is a prerequisite for doing business safely.

Morey Haber
Morey Haber is the Chief Security Adviser at BeyondTrust and has more than 25 years of IT industry experience. During this time, he has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud-based solutions and originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators.

Get Your Cyber News Delivered

Subscribe

Similar Posts

No results found.
Share This