Royal Dutch Shell Plc  .com Rotating Header Image

Shell investigates posting of personal data

Times Online

The Times
February 13, 2010

The leaked list includes the names and telephone numbers of 170,000 staff

Robin Pagnamenta, Energy Editor

A full-scale investigation was under way last night into a security breach at Royal Dutch Shell as the oil company faced explaining to staff how the personal details of 170,000 employees and contractors had made their way on to the internet.

The Times has learnt that seven non-governmental organisations (NGOs) who were e-mailed a database of all Shell staff this month have been dragged into the row.

Shell has contacted all the groups — which include Greenpeace’s American office, Earthrights, Justice in Nigeria Now, Shell Guilty, Friends of the Earth (Netherlands), Remember Sarowiwa and CCR Justice — with a demand that they delete the database or face legal action under the UK Data Protection Act.

The list includes names, telephone numbers and other details of employees and contractors working for Shell worldwide. A small number of personal addresses were included in the list, which was leaked to the NGOs and to an anti-Shell website,, in an apparent attempt to highlight Shell’s activities in Nigeria and to call for changes to company policy in the country.

A Shell statement said: “We will investigate this matter and comply with all legal requirements in relation to this issue.” Shell confirmed that its security department had launched an internal investigation into the affair and was working to ensure that no further breaches were possible.

John Donovan, one of the creators of the Royaldutchshellplc website, which has become a focus for attacks on the Anglo-Dutch oil company for several years, said that he had threatened to publish the database on his website. He said that he had chosen not to after an exchange of e-mails, during which Shell advised him that to do so would be a criminal offence.

The security breach at Shell has emerged two months before the introduction of new rules that will mean companies could be fined up to £500,000 if they are reckless with personal information. The Information Commissioner’s Office, which has regulatory responsibility for data breaches, said yesterday that the ICO was “aware of the incident”. From April 6, the ICO will have the power to levy fines on companies that suffer similar leaks.

A spokesman for Greenpeace said that the database appeared to have been sent to a number of the NGO’s staff in the United States.

Shell added that it did not believe that a lengthy cover letter attached to the database, which was alleged to have come from more than 100 of the company’s own staff, was genuine.

Yesterday Shell sought to play down the leak. A statement said: “Certain data concerning Shell employees and other individuals on our internal address list has been disclosed to some external parties. The data is mainly business-related.”

A spokesman for BP said that it never discussed security issues.

Data protection duty

Under the Data Protection Act, companies are obliged to keep employees’ data secure by having up-to-date security. It should not be sent to other countries unless they have adequate protection.

The Information Commissioner’s power to punish companies in breach is limited. Fines for failing to protect against loss of personal data tend to be under £5,000. However, in financial services, the Financial Services Authority can punish failure to protect data; it fined HSBC £3.2 million for not taking adequate steps to prevent clients’ details being lost or stolen.

New laws are being considered for the Information Commissioner to punish companies in cases of loss of personal data for failing to have adequate measures in place. Fines could reach £500,000.

Shell would escape liabilty if the breach were found to be a result not of carelessness but of work by sophisticated operators beating controls. Those people, if found, could face criminal prosecution.

TIMES ARTICLE and its sister non-profit websites,,,,,, and are owned by John Donovan. There is also a Wikipedia feature.

0 Comments on “Shell investigates posting of personal data”

Leave a Comment

%d bloggers like this: