“We are in possession of a massive database containing contact information for every Shell employee throughout the world. It was supplied by an organized group of over 100 Shell employees from the USA, the UK and the Netherlands intent on a corporate revolution inside your company.”
By John Donovan
The news media has reported that Payroll details of 100,000 Morrisons staff have been published on the web.
The UK supermarket chain launched an internal investigation after information about its 100,000 employees was allegedly leaked by an insider and posted on to the internet. According to The Daily Mail, “The company has set up a hotline and dedicated email address for staff who are worried about the possibility of their information falling into the hands of scammers.”
Royal Dutch Shell was hit by an even bigger breach of employee data in February 2010 – the worlds biggest breach of employee information – when a database containing personal information for 177,000 Shell employees and contractors was supplied to me. It was leaked by a group of disgruntled Shell employees.
I sent an email to Michiel Brandjes, the Company Secretary of Royal Dutch Shell Plc and received an alarmed response from Richard Wiseman, the then Chief Ethics & Compliance Officer of the company. The immediate correspondence is printed below. Because Mr Wiseman later confirmed that personal security would be put at risk, I did not publish the database, but instead, at the request of Mr Wiseman, destroyed it. He was good enough to thank me for the responsible way I dealt with the matter.
The incident generated world-wide news coverage.
INITIAL EMAIL CORRESPONDENCE OF “COLOSSAL SECURITY BREACH AT SHELL”
From: John Donovan [mailto:[email protected]]
Sent: 03 February 2010 12:29
To: Brandjes, Michiel CM RDS-LC
Cc: Wiseman, Richard RM SI-RDS-CCO
Subject: COLOSSAL SECURITY BREACH AT SHELL
Dear Mr Brandjes
We are in possession of a massive database containing contact information for every Shell employee throughout the world.
It was supplied by an organized group of over 100 Shell employees from the USA, the UK and the Netherlands intent on a corporate revolution inside your company. We agree with the aims of the group.
No doubt “CAS” is already investigating this colossal breach of security.
In addition to an article being prepared, we intend to make the database available online later today.
Please advise as a matter of urgency if Shell has any objections, and if so, what they are. Obviously we do not want to put anyone at risk, though we cannot currently see that this would be the case.
If it is just a matter of a huge embarrassment for Shell, then we will publish as planned.
REPLY FROM SHELL
Dear Mr Donovan
Unfortunately, Mr Brandjes is not able to respond and in view of the deadline you have imposed, I thought it sensible to reply. You will appreciate that our immediate concern is the security of Shell’s staff. Accordingly I should be grateful if you would let me know exactly what information you have and intend to publish. In particular, please let me know whether this information includes private contact information like addresses and phone numbers, in which case we would protest very strongly indeed and require that this information is not published.
Chief Ethics and Compliance Officer
Royal Dutch Shell plc
Shell Centre, London SE1 7NA
Registered in England and Wales number 4366849
Registered Office: Shell Centre, London, SE1
Headquarters: Carel van Bylandtlaan 30, 2596 HR
The Hague, The Netherlands
Email: [email protected]