Article by Glen Frost, Editor, The PR Report

Yes, 15 billion. This is the claim of John Donovan, a UK blogger who campaigns against  the global oil producing giant Shell (full name Royal Dutch Shell) using his blog www.royaldutchshellplc.com .

Arguably the most powerful blog in the world dedicated to covering one company; and intrigued as to how the site developed such influence, Glen Frost met with the blog’s founders, John and Alfred Donovan, to get the full story.

EXTRACTS

The blog is now so popular, and trusted, the site appears on the front page of major newspapers (see pictures), and has ex‐employees from Shell contributing regular articles

The Russian connection: the scoop that made the  Donovan’s blog famous

The Donovans had been collecting and publishing information online about Shell’s activities since 2001; this information dates back to the mid 1980’s and their former business relationship with Shell. Over the years, more and more people in the oil industry discovered the website, and the Donovan’ s have been swamped with information about Shell from both suppliers, contractors, insiders and former employees.

Some of this information concerned Shell’s activities in Russia from 1996. A Shell‐led consortium (called Sakhalin Energy) and the Russian Government entered into a production sharing agreement. It was information on alleged environmental abuses by the consortium from the Donovan’ s that killed the deal. John Donovan said he suspected his information was the trigger but didn’t know for sure until Oleg Mitvol, a senior figure in the Russian Government, stated so in a media interview.

Asked by a journalist from PetroleumArgus, a trade magazine, who his sources were for the environmental abuse charges that Mitvol laid against the Sakhalin Energy consortium, Mitvol, then deputy head of Russia’s environmental watchdog Rosprirodnadzor, said he had “email correspondence between executives in Sakhalin Energy management from 2002.”

The compromising material had come from Donovan, owner and blogger of the anti‐Shell website www.royaldutchshellplc.com, Mitvol said.

Donovan estimates the value lost to Shell is US$15 billion.

The Donovan’s website is a full frontal attack on Shell’s management and ethics. Shell has tried to shut the site down on the grounds that it uses the company name. However, the site www.royaldutchshellplc.com  makes no money, and, crucially, is registered in the USA, where laws on websites are weighted in favour of the domain owner.

“Our site receives up to 2.2 million hits a month; we want it to become a magnet for people who have a problem with the
company,” says Donovan.  “Many of the people using the site are Shell employees.

Blog publishes market sensitive information

Donovan publishes market sensitive information on the site, and he, and the website, are now quoted by esteemed news organisations like Reuters and The Financial Times. For example, Donovan  published information questioning the level of Shell’s reserves, in which the company was found to have inflated its oil and gas reserves by some 20% in 2003‐04, which led to negative media headlines.

The picture (right; The Daily mail, UK 8th Sept 2009) shows how Donovan’s blog published details of staff cuts before Shell had announced them to the markets and the media.

Because of the blog, and the Donovan’s insistence on publishing all information he can verify about Shell, good and bad, John Donovan’s influence with the media is now global, instant and at a senior level – John lists the names of all the UK, US and global media outlets, their Editors or senior correspondents covering corporate news or the oil sector as his contacts.

Shell’s external PR advisors

A post on the Donovan’s website links to an article in a recently published book on corporate reputation and the rise of blog sites that attack, or expose, poor corporate ethics and illegal or dubious corporate activity, and what CEOs should do about such sites; http://www.shellnews.net/images/CorporateReputationAED.pdf ‐ the book is written by Dr Leslie Gaines‐Ross, who, incidentally, was previously CMO of Burson‐Marsteller USA, who manage Shell’s public relations.

FULL ARTICLE (FREE SUBSCRIPTION)
Previous PR Report issues here: http://thepublicinterest.ning.com
PR Report Facebook page: http://tinyurl.com/ykg6p7j
PR Report YouTube channel: www.youtube.com/theprreport

EXTRACT FROM BOOK REFERRED TO ABOVE: “REPUTATION LOSS – 12 Steps to safeguarding and Recovering Reputation”

One such empowered activist is arch Shell critic Alfred Donovan. No one was more surprised than Royal Dutch Shell PLC to learn that this 88-year-old British army veteran had purchased the Internet domain name www.royaldutchshellplc.com. The gadfly Donovan was a well-known, though underestimated, critic of the company. By acquiring the domain name, Donovan obtained the perfect platform to voice his criticisms of the oil giant. Who would have thought a decade ago that such an unlikely individual could stand up to a corporate powerhouse, waging a war of words against one of the world’s largest companies?

TONY HAYWARD, BP’s chief executive, has set the FTSE 100 oil group on a collision course with investors and environmentalists over a blockbuster oil sands deal.

A company funded by the charitable arm of Royal Dutch Shell, the oil giant, has developed a cheap and efficient stove that it says could save carbon and lives.

PETER VOSER, chief executive of Royal Dutch Shell, is selling $10 billion (£6.4 billion) of assets as part of his drive to revitalise the oil giant.

Evening Express: Claim that oil firm staff could be at risk

By Jennifer McKiernan and Charlotte Jordan

Published: 12/02/2010

ADVICE: Shell employees at Tullos have been told not to be alarmed

A DATA leak has put Shell oil workers in danger from cyber-criminals and environmental activists, it was claimed today.

A Shell database containing details of 102,000 employees and contractor information was accessed and sent out from the firm, which has a major base in Aberdeen.

The information includes private addresses and mobile phone numbers.

Among those to be sent the details were British blogger John Donovan who said the personal details could be used to dupe staff and put workers in dangerous situation.

He said he “knew for certain” the data had been passed to a Nigerian activist organisation and six other groups.

And he accused the oil company of “covering-up” the full extent of risk to staff.

E-mails from Shell’s chief ethics and compliance officer Richard Wiseman said employee and contractor security could be compromised by the leaked data.

Mr Donovan said: “I voluntarily agreed not to make the database accessible online because bosses stressed the potential risk to the personal safety of some Shell employees.

“He probably had in mind employees in Nigeria at risk of kidnapping.”

However, in a public e-mail sent to all Shell staff, including those in the North-east, Mr Wiseman reassured staff there was “no need to be alarmed” about the leak, which he said could result in “nuisance telephone calls”.

A Shell spokesman said: “The details of such data are primarily business related. We will investigate this matter and comply with all legal requirements in relation to this issue.”

jmckiernan@ajl.co.uk

ComputerWeekly.com

Ian Grant
Friday 12 February 2010 05:49

Royal Dutch Shell may have been infiltrated by activists, according to one of the people who received an e-mail containing Shell’s staff contact details and a 177-page infiltration guide.

The Times
February 13, 2010

The leaked list includes the names and telephone numbers of 170,000 staff

Robin Pagnamenta, Energy Editor

A full-scale investigation was under way last night into a security breach at Royal Dutch Shell as the oil company faced explaining to staff how the personal details of 170,000 employees and contractors had made their way on to the internet.

The Times has learnt that seven non-governmental organisations (NGOs) who were e-mailed a database of all Shell staff this month have been dragged into the row.

Shell has contacted all the groups — which include Greenpeace’s American office, Earthrights, Justice in Nigeria Now, Shell Guilty, Friends of the Earth (Netherlands), Remember Sarowiwa and CCR Justice — with a demand that they delete the database or face legal action under the UK Data Protection Act.

The list includes names, telephone numbers and other details of employees and contractors working for Shell worldwide. A small number of personal addresses were included in the list, which was leaked to the NGOs and to an anti-Shell website, Royaldutchshellplc.com, in an apparent attempt to highlight Shell’s activities in Nigeria and to call for changes to company policy in the country.

A Shell statement said: “We will investigate this matter and comply with all legal requirements in relation to this issue.” Shell confirmed that its security department had launched an internal investigation into the affair and was working to ensure that no further breaches were possible.

John Donovan, one of the creators of the Royaldutchshellplc website, which has become a focus for attacks on the Anglo-Dutch oil company for several years, said that he had threatened to publish the database on his website. He said that he had chosen not to after an exchange of e-mails, during which Shell advised him that to do so would be a criminal offence.

The security breach at Shell has emerged two months before the introduction of new rules that will mean companies could be fined up to £500,000 if they are reckless with personal information. The Information Commissioner’s Office, which has regulatory responsibility for data breaches, said yesterday that the ICO was “aware of the incident”. From April 6, the ICO will have the power to levy fines on companies that suffer similar leaks.

A spokesman for Greenpeace said that the database appeared to have been sent to a number of the NGO’s staff in the United States.

Shell added that it did not believe that a lengthy cover letter attached to the database, which was alleged to have come from more than 100 of the company’s own staff, was genuine.

Yesterday Shell sought to play down the leak. A statement said: “Certain data concerning Shell employees and other individuals on our internal address list has been disclosed to some external parties. The data is mainly business-related.”

A spokesman for BP said that it never discussed security issues.

Data protection duty

Under the Data Protection Act, companies are obliged to keep employees’ data secure by having up-to-date security. It should not be sent to other countries unless they have adequate protection.

The Information Commissioner’s power to punish companies in breach is limited. Fines for failing to protect against loss of personal data tend to be under £5,000. However, in financial services, the Financial Services Authority can punish failure to protect data; it fined HSBC £3.2 million for not taking adequate steps to prevent clients’ details being lost or stolen.

New laws are being considered for the Information Commissioner to punish companies in cases of loss of personal data for failing to have adequate measures in place. Fines could reach £500,000.

Shell would escape liabilty if the breach were found to be a result not of carelessness but of work by sophisticated operators beating controls. Those people, if found, could face criminal prosecution.

TIMES ARTICLE

ComputerWeekly.com

Shell staff details revealed in security breach

Contact details of more than 170,000 Royal Dutch Shell employees and contractors have become public after a group claiming to be Shell staff concerned about the oil company’s activities e-mailed them to eco and corporate activists.

Shell has confirmed the breach, but played it down, saying it was equivalent to stealing their business cards.

Corporate activist John Donovan, who received a copy of the contact list, said he destroyed it because the details could have threatened the safety of some individuals.

In correspondence published on Donovan’s website, he said Shell’s actions confirmed his view that the leaked data put the personal safety of some employees at risk.

He said he had confirmed the list was up-to-date by test-mailing a sample of the names on the list. None was returned as “undeliverable”, he said.

Shell said the staff list was about six months old. This coincided with the period when Shell laid off about 5,000 staff. It recently announced plans to lay off a further 1,000.

A spokesman for the Information Commissioner’s Office, which has regulatory responsibility for data breaches, said the ICO was “aware of the incident”.

From 6 April, the ICO will have the power to levy fines of up to £500,000 on firms that are reckless with personal information. The ICO spokesman said that due to the timing Shell might escape such a sanction.

A spokesperson for Greenpeace said it was trying to establish whether any of its offices had received the documents, but could not comment at this stage.

Reports in the Times and Financial Times suggested that the database and a document related to Shell’s activities in Nigeria were e-mailed to various civil rights and ecology activists.

Some 116 “concerned employees of Shell Oil” in the US, the UK and the Netherlands reportedly signed the e-mail.

SOURCE ARTICLE

FINANCIAL TIMES

ft.com/energysource

February 12, 2010 1:12pm

by Kate Mackenzie

Shell’s directory leak shouldn’t be taken lightly

Shell must have been a little shocked to hear a database of its entire staff directory – all 170,000 employees – had been emailed to environmental and human rights groups.

But it’s not clear, as Ed Crooks writes on ft.com, exactly who leaked it; although it claims to be a group of 116 employees, who are apparently concerned about Nigeria:

The e-mail sets out a four-stage strategy for raising awareness of allegations about Shell’s practices in Nigeria, including campaigns to target the media and institutional investors.

It also advocates “having people from NGOs [non-governmental organisations] becoming full-time (undercover) employees of corporations (in western countries)” to campaign for change in corporate practices.

Meanwhile John Donovan at royaldutchshellplc.com is irked, because he says Shell asked him not to make the directory public for security and personal reasons (he agreed); but the company subsequently told the press, including the FT, that the database leak was not a security risk. We don’t necessarily agree with Donovan’s accusation that the Shell staff in question were deliberately misleading anyone. Indeed the directory doesn’t contain personal home contact details, so opinions probably varied. But to say there are no security implications from such a leak isn’t quite correct.

Because leaked staff directories are not as safe as handing out business cards. The reason is: social engineering. Not some kind of Orwellian concept; it’s a well-known method for computer hackers to get into an organisation’s network. Dumpster diving and dressing as a contract repairman are a couple of the more entertaining types of social engineering, but just knowing someone’s job title and phone number can create an easy guise for, say: impersonating a senior manager, calling the internal IT helpdesk, and demanding a password. Most companies have security proceeds to guard against it; but there are plenty of tales of hackers getting a crucial piece of information with just a name, job title, and a persuasive phone manner.

This from a white paper at the SANS Institute, a long-established security firm, on social engineering:

Unfortunately, social engineers thrive on easily attainable information such as phone numbers. Social engineers planning to pose as an internal employee will first need to identify someone to masquerade as. Corporate directories are often easy to come by, and not viewed by internal employees as containing sensitive information. Many individuals may think that sharing names, positions and phone numbers is harmless.

Of course as the paper goes on to say, names, job titles and phone numbers can be found out a number of ways, such as calling switchboard or front desk staff – and some organisations publish part of all of their staff directory online (though most security experts frown on this). But the office contact details for 170,000 employees would no doubt be a prize for hackers.

Shell staff might want to take care with their phone conversations, in case the directory has fallen into a hacker’s hands.

FT ARTICLE (SUBSCRIPTION)