Royal Dutch Shell plc .com Rotating Header Image

Shell guilty of allowing worlds biggest breach of employee details

By John Donovan

Shell media spin machine went into overdrive last week trying to downplay the worlds biggest ever leak of employee details, including personal information, which Shell Ethics boss Richard Wiseman, has twice admitted puts the safety of some employees at risk.

A copy of a related email from Mr Wendel Broere, Group spokesman, Global media relations, Shell International B.V, desperately engaged on a damage limitation exercise with the news media, was leaked to me on the day it was sent. My role is discussed in the email, no doubt because I am the person who broke the story which turned into a global PR disaster for Shell, with all kinds of unwelcome repercussions, including an investigation by the Information Commissioners Office and the prospect of a fine for being reckless with confidential employee data.

The information sent by Broere on the record says that Shell is investigating the matter and will comply with all legal requirements. The issue of personal security is only mentioned “Off the record” in his email, down-played to being no greater risk to Shell employee personal safety than merely handing out a business card.

Shell now says there was no private address information. That was not the case in the leaked employee data I received which Shell pressured me into destroying before Shell media started pumping out smoke. In fact, many post-codes were included in the data: Far more than could be only Shell addresses. Also personal mobile phone numbers, along with an array of other contact information.

The line now being taken by Shell is totally incompatible with the unambiguous statement on the personal security aspect made by Shell Ethics Richard Wiseman that he subsequently reconfirmed to me by email. This was after I published a leaked email Wiseman had sent to all employees, which failed to mention any risk to personal safety.

And it was not just Shell employee information that was leaked, but four other data files, all forming part of an carefully contrived plan – formulated with almost military precision – for a claimed corporate revolution at Shell by a subversive group that appears to have successfully infiltrated the oil giant. The whole thrust of the plan directed at Shell is motivated by its alleged crimes in Nigeria, which are listed in the extraordinary document.

Following contact with the Information Commissioners Office, we have also destroyed the other related files supplied within the attachment containing the Shell Global Address Book. However, we understand that now that the information has escaped into cyber-space, it will always be potentially retrievable.

Although Shell Corporate Affairs Security (CAS) is mounting a major investigation, how much confidence can employees have in a department headed by retired spooks, when CAS was presumably ultimately responsible for safeguarding security in the first place? At least it might divert CAS from carrying out “invisible” investigations against the Donovans.

Clearly the global spying by CAS against Shell employees to try to stop information from reaching us has not been entirely successful. The flood of leaked Shell information continues unabated.

According to a posting on our Shell Blog by a Shell IT insider (a regular contributor of articles to this website) a breach of the employee Directory could have happened at anytime in the last decade:

IT4me: What interests me about the Directory Leak story is that any competent scripter could have done this at any time in the last 10 years using just NOTEPAD and maybe 20 lines of VBS code. That’s because Active Directory (parts of it anyway) have been left open for use by RDS’s diverse collection of systems. So why didn’t it happen before ? And why doesn’t this sort of thing ever happen at GOOGLE ?

Comments are closed.

%d bloggers like this: