Posts under ‘Shell Employee Safety’

Ironically, Shell’s security breach came at a convenient time- had Shell discovered the breach in April, a new set of rules (covered here and here) would have allowed the company to be charged fines of up to £500,000. However, even without the additional monetary cost, Shell lost something extremely valuable: the trust of its employees. Shell workers are much less likely to remain loyal to a company which isn’t proactive about protecting its internal information.

“Risk Awareness has gone up; risk tolerance has gone down,” said Jon Unwin, vice president of safety, environment and sustainable development for Shell Upstream Americas’ deep-water unit. Today, Shell, Chevron and others talk about cutting offshore incidents to zero.

By John Donovan

Shell media spin machine went into overdrive last week trying to downplay the worlds biggest ever leak of employee details, including personal information, which Shell Ethics boss Richard Wiseman, has twice admitted puts the safety of some employees at risk.

A copy of a related email from Mr Wendel Broere, Group spokesman, Global media relations, Shell International B.V, desperately engaged on a damage limitation exercise with the news media, was leaked to me on the day it was sent. My role is discussed in the email, no doubt because I am the person who broke the story which turned into a global PR disaster for Shell, with all kinds of unwelcome repercussions, including an investigation by the Information Commissioners Office and the prospect of a fine for being reckless with confidential employee data.

The information sent by Broere on the record says that Shell is investigating the matter and will comply with all legal requirements. The issue of personal security is only mentioned “Off the record” in his email, down-played to being no greater risk to Shell employee personal safety than merely handing out a business card.

Shell now says there was no private address information. That was not the case in the leaked employee data I received which Shell pressured me into destroying before Shell media started pumping out smoke. In fact, many post-codes were included in the data: Far more than could be only Shell addresses. Also personal mobile phone numbers, along with an array of other contact information.

The line now being taken by Shell is totally incompatible with the unambiguous statement on the personal security aspect made by Shell Ethics Richard Wiseman that he subsequently reconfirmed to me by email. This was after I published a leaked email Wiseman had sent to all employees, which failed to mention any risk to personal safety.

And it was not just Shell employee information that was leaked, but four other data files, all forming part of an carefully contrived plan – formulated with almost military precision – for a claimed corporate revolution at Shell by a subversive group that appears to have successfully infiltrated the oil giant. The whole thrust of the plan directed at Shell is motivated by its alleged crimes in Nigeria, which are listed in the extraordinary document.

Following contact with the Information Commissioners Office, we have also destroyed the other related files supplied within the attachment containing the Shell Global Address Book. However, we understand that now that the information has escaped into cyber-space, it will always be potentially retrievable.

Although Shell Corporate Affairs Security (CAS) is mounting a major investigation, how much confidence can employees have in a department headed by retired spooks, when CAS was presumably ultimately responsible for safeguarding security in the first place? At least it might divert CAS from carrying out “invisible” investigations against the Donovans.

Clearly the global spying by CAS against Shell employees to try to stop information from reaching us has not been entirely successful. The flood of leaked Shell information continues unabated.

According to a posting on our Shell Blog by a Shell IT insider (a regular contributor of articles to this website) a breach of the employee Directory could have happened at anytime in the last decade:

IT4me: What interests me about the Directory Leak story is that any competent scripter could have done this at any time in the last 10 years using just NOTEPAD and maybe 20 lines of VBS code. That’s because Active Directory (parts of it anyway) have been left open for use by RDS’s diverse collection of systems. So why didn’t it happen before ? And why doesn’t this sort of thing ever happen at GOOGLE ?

Written by Emmanuel Carabott on February 15, 2010 – 4:35 pm

This week the BBC reported that someone has disclosed contact details for 170,000 of Shell’s employees world wide. The disclosure comes with a note claiming it is being disclosed by former employees who can’t stand the damage the company is doing to the environment.  Shell has in turn downplayed the event claiming that the information disclosed does not pose a security risk to its employees since it does not include employee’s addresses.

Following this statement I really hope that such a statement is simply damage control on Shell’s part and that it does not truly believe the statement the company released. Whenever an organization is hit with something like this the implications are enormous and it’s definitely not something to take lightly. While the details published included names and phone numbers for the most part there is no guarantee that whoever perpetrated the leak doesn’t have access to additional information. Furthermore even with such limited information such as name and contact numbers a social engineer can use that information very effectively to infiltrate the organization.

Another thing Shell should definitely be concerned over is, if the attacker managed to get access to this data what else did he manage to get his hands on? How will this affect its workforce?  Will the resulting harassment lead to people leaving the company? Will the breach mean that some possible future employees will think twice before the joining the company fearing for their privacy? What about lost business? It is definitely to be expected that some companies will worry about their contractual and financial details being safe with the company! This can lead to lost deals and revenue.

What is definite is that such a breach causes one huge PR nightmare that will not go away by downplaying the breach; downplaying,  if anything, will make the situation worst.

As the proverb goes, prevention is better than cure and this was never more so than in the realm of security.  Once such a breach occurs the damage is done. Contingencies may limit the damage a little but in any case the resulting fall out is likely to be more expensive than protecting the system in the first place. I am obviously not claiming that Shell didn’t do its best to protect its data, that’s something I do not know and neither do I have a way of knowing. What I am trying to say is that one should do his best to avoid such an unfortunite situation. If one is to believe the disclosed letter, the attack was perpetrated by insiders. While Shell itself is sceptic of this claim it is really not that hard to believe. Time and time again researchers have placed insider threats very high on the security risks organization’s face.  Worse yet, often organizations spend the majority of their security budget protecting the inside from the outside and not the inside from itself. One would obviously do very well to remember that in security one loses as soon as the weakest link is compromised and not after the strongest measures fall.

Stories such as this should be an effective cautionary tale of what security is meant to avoid. While investing in end point security, the perimeter and access control might not bring any tangible ROI in the short term, if that one time cost can avoid an unpleasant situation such as this it would have more than paid for itself.

A spokesperson for the ICO said: “Shell has notified us of a security breach regarding a significant amount of people’s personal details. We are looking into how this data breach occurred and will decide what, if any regulatory action, is required.” Shell – if it is found guilty – may escape lightly. Fines levied by the ICO for failing to protect against the loss of personal data tend to be under £5,000.

Evening Express: Group claims responsibility for ‘inside job’ at oil giant

PROBE: Oil firm Shell said an investigation would be launched into the data leak.

DAMAGING: Undercover activists could be working at Shell’s Aberdeen base in Altens.

By Jennifer McKiernan

Published: 15/02/2010

A DATA leak endangering oil workers was committed by undercover environmental activists, it has been claimed.

The Evening Express told how a database containing more than 100,000 personal details about Shell employees and contractors was leaked from the oil firm.

A 116-strong group claiming to be full-time Shell employees – some of whom could be working in Aberdeen – have claimed responsibility for the data leak.

And the group claims the Shell database leak was an organised “inside job” to highlight alleged human rights abuses in oil-rich Nigeria.

jmckiernan@ajl.co.uk

The Register

Posted in IT Director, 15th February 2010 09:20 GMT

By John Oates

Evening Express: Claim that oil firm staff could be at risk

By Jennifer McKiernan and Charlotte Jordan

Published: 12/02/2010

ADVICE: Shell employees at Tullos have been told not to be alarmed

A DATA leak has put Shell oil workers in danger from cyber-criminals and environmental activists, it was claimed today.

A Shell database containing details of 102,000 employees and contractor information was accessed and sent out from the firm, which has a major base in Aberdeen.

The information includes private addresses and mobile phone numbers.

Among those to be sent the details were British blogger John Donovan who said the personal details could be used to dupe staff and put workers in dangerous situation.

He said he “knew for certain” the data had been passed to a Nigerian activist organisation and six other groups.

And he accused the oil company of “covering-up” the full extent of risk to staff.

E-mails from Shell’s chief ethics and compliance officer Richard Wiseman said employee and contractor security could be compromised by the leaked data.

Mr Donovan said: “I voluntarily agreed not to make the database accessible online because bosses stressed the potential risk to the personal safety of some Shell employees.

“He probably had in mind employees in Nigeria at risk of kidnapping.”

However, in a public e-mail sent to all Shell staff, including those in the North-east, Mr Wiseman reassured staff there was “no need to be alarmed” about the leak, which he said could result in “nuisance telephone calls”.

A Shell spokesman said: “The details of such data are primarily business related. We will investigate this matter and comply with all legal requirements in relation to this issue.”

jmckiernan@ajl.co.uk

ComputerWeekly.com

Ian Grant
Friday 12 February 2010 05:49

Royal Dutch Shell may have been infiltrated by activists, according to one of the people who received an e-mail containing Shell’s staff contact details and a 177-page infiltration guide.