Royal Dutch Shell Plc  .com Rotating Header Image

POTENTIALLY DISASTROUS DATA SECURITY BREACH AT SHELL

By John Donovan

Another major humiliation and security breach for Shell.  First we beat Shell to the top level domain name for Royal Dutch Shell Plc.  As a result, with Shell’s written approval, we process job applications and business proposals meant for Shell, dealing with them as we deem appropriate.

We also regularly publish leaked Shell information, including for example breaking the news last May about Voser’s Transition 2009 plans for Shell.

Now a further huge embarrassment. We have in our possession a leaked database directory with contact information for every Shell employee on the planet – over 100,000 people. This is despite a global spying operation by Shell against its own employees designed to prevent insider information from reaching us. Shell Corporate Affairs Security is no doubt redoubling its efforts to plug the leaks, but the damage continues.

We supplied some sample data to Shell from the internal directory and also sent test emails to a sampling of listed Shell employees (and advised Shell accordingly). The Directory also includes information on employees of Sakhalin Energy. Gazprom is unlikely to be pleased to learn of such a serious breach of security.

Published below is a selection of self-explanatory email correspondence with Shell, which is now concluded. Mr Wiseman did not mention the risk of the information being used for identity theft.

EMAIL FROM JOHN DONOVAN TO RDS PLC COMPANY SECRETARY MICHIEL BRANDJES

From: John Donovan [mailto:[email protected]]
Sent: 03 February 2010 12:29
To: Brandjes, Michiel CM RDS-LC
Cc: Wiseman, Richard RM SI-RDS-CCO
Subject: COLOSSAL SECURITY BREACH AT SHELL

Dear Mr Brandjes

We are in possession of a massive database containing contact information for every Shell employee throughout the world.

It was supplied by an organized group of over 100 Shell employees from the USA, the UK and the Netherlands intent on a corporate revolution inside your company. We agree with the aims of the group.

No doubt “CAS” is already investigating this colossal breach of security.

In addition to an article being prepared, we intend to make the database available online later today.

Please advise as a matter of urgency if Shell has any objections, and if so, what they are. Obviously we do not want to put anyone at risk, though we cannot currently see that this would be the case.

If it is just a matter of a huge embarrassment for Shell, then we will publish as planned.

Best Regards
John Donovan

REPLY FROM RICHARD WISEMAN, CHIEF ETHICS & COMPLIANCE OFFICER, ROYAL DUTCH SHELL PLC

From: [email protected]
Date: 3 February 2010 13:29:07 GMT
To: [email protected]
Cc: [email protected]
Subject: RE: COLOSSAL SECURITY BREACH AT SHELL

Dear Mr Donovan

Unfortunately, Mr Brandjes is not able to respond and in view of the deadline you have imposed, I thought it sensible to reply.  You will appreciate that our immediate concern is the security of Shell’s staff.  Accordingly I should be grateful if you would let me know exactly what information you have and intend to publish.  In particular, please let me know whether this information includes private contact information like addresses and phone numbers, in which case we would protest very strongly indeed and require that this information is not published.

Regards

Richard Wiseman

Chief Ethics and Compliance Officer
Royal Dutch Shell plc
Shell Centre, London SE1 7NA

Registered in England and Wales number 4366849
Registered Office:  Shell Centre, London, SE1
Headquarters: Carel van Bylandtlaan 30, 2596 HR
The Hague, The Netherlands

Email: [email protected]
Internet: http://www.shell.com

REPLY FROM JOHN DONOVAN

From: John Donovan <[email protected]>

Date: 3 February 2010 13:58:52 GMT
To: [email protected]
Subject: Re: COLOSSAL SECURITY BREACH AT SHELL

Dear Mr Wiseman

As indicated, we have no wish to jeopardize the security of Shell staff and will delay publication of public access to the database until you have had an opportunity to consider the matter with your security advisors and advise us the outcome. If there is any genuine danger to your employees, then we will not make the database available online.

I will shortly send you samples of the information in the database.

We will however press ahead with publication of other related information.

Regards
John Donovan

FURTHER EMAIL FROM RICHARD WISEMAN

From: [email protected]
Date: 3 February 2010 15:41:44 GMT
To: [email protected]
Subject: Directory Publication

Dear Mr Donovan

I have now had a chance to consider this and consult with colleagues more familiar with the nature and contents of the “leaked” directory than I am.  I am afraid I must ask you not to publish the data.

The reasons for this request are as follows:

1  Although the data are predominantly business related, some of the information is personal – some telephone numbers for example.
2  Some of the information is sensitive from the security point of view and in some cases personal safety could be compromised by its publication.
3  Although this is a “Shell” directory, it contains information about considerable numbers of people who are not employed by Shell but who are employed by third parties.

In the circumstances therefore, I’d be grateful for your assurance that you will not be publishing the directory.

Regards

Richard Wiseman

Chief Ethics and Compliance Officer
Royal Dutch Shell plc
Shell Centre, London SE1 7NA

REPLY FROM JOHN DONOVAN TO RICHARD WISEMAN

From: John Donovan <[email protected]>
Date: 3 February 2010 16:12:09 GMT
To: [email protected]
Subject: Re: Directory Publication

Dear Mr Wiseman

I note your polite request and the grounds on which it is made.

I would not wish to take a chance putting anyones personal security at risk.

I feel sure my father will share this view and will speak with him late this evening and send confirmation in the morning.

At least we have a nice database from which to compile an email list.

Regards
John Donovan

REPLY FROM RICHARD WISEMAN TO JOHN DONOVAN

On 3 Feb 2010, at 16:20, [email protected] wrote:

Dear Mr Donovan

Thank you for taking this responsible approach.  Please let me know in good time if you change your mind.

Regards
Richard Wiseman

Chief Ethics and Compliance Officer
Royal Dutch Shell plc
Shell Centre, London SE1 7NA

EMAIL TO RICHARD WISEMAN FROM JOHN DONOVAN

From: John Donovan <[email protected]>
Date: 4 February 2010 16:28:07 GMT
To: [email protected]
Subject: Re: Directory Publication

Dear Mr Wiseman

Just to confirm that based on what you have stated about the risk of compromising personal safety, we will not be making the relevant Directory information available online. This is in line with a previous decision not to publish an article on a different matter when Mr Brandjes made a request for us not to do so, because of special circumstances he disclosed to us.

Regards
John Donovan

EMAILS END

RELATED WALL STREET JOURNAL ARTICLE

Comments are closed.

%d bloggers like this: