Security Breach at Shell Reveals Personal Employee Information

February 28th, 2010

Security breaches can happen anytime, anywhere, and can affect practically anyone in an organization. In the past , we’ve covered several examples where breaches revealed customer’s passwords and social security numbers. Today, we explore a different type of breach- one which leaked the personal details of 170,000 employees and contractors of Royal Dutch Shell. This incident is particularly important because it provides a perfect example of how storing unencrypted data on company computers can be dangerous and have serious consequences that can strike a company from the inside.

The situation is particularly difficult for the infamous oil corporation- the database of names and personal contact details had been e-mailed to several non-governmental organizations, including Greenpeace, Friends of Earth, and Shell Guilty. Shell has attempted to prevent the NGOs from publishing the information, explaining that in doing so, they would be breaking the law. Additionally, Shell is launching a full scale investigation in an effort to figure out how their employee information ended up accessible to third-parties. While it’s difficult to guess at the techniques used by the hackers, one thing is clear- Shell computers aren’t protected by full disc encryption services and. as a result, much more vulnerable to online threats.

Shell’s Information is a Serious Problem

Understandably, Shell is trying to prevent the security breach from being seen as a serious problem. An article from TimesOnline included a quote from the company:

Yesterday Shell sought to play down the leak. A statement said: ‘Certain data concerning Shell employees and other individuals on our internal address list has been disclosed to some external parties. The data is mainly business-related.’

While there may be some truth in the representative’s claims about much of the information being publicly available and not being capable of damaging the company, it’s likely that Shell’s employees feel differently. According to a report by the BBC, some of Shell’s workers had their private home telephone numbers leaked. Even if no personal telephone numbers were leaked, the breach brings attention to the poor status of computer security at Shell. Employees can’t function properly in an environment where they’re not certain that appropriate security measure are in place and that their personal details are well-protected. This last complication is troublesome, at least for Shell, which will need to improve the way it does business in order to reassure its employees that their private information is safe. Dealing with the aftermath of a crisis can be extremely costly and in many cases, a damaged reputation can’t ever truly be recovered, regardless of how much money is spent.

Lessons to Learn

Ironically, Shell’s security breach came at a convenient time- had Shell discovered the breach in April, a new set of rules (covered here and here) would have allowed the company to be charged fines of up to £500,000. However, even without the additional monetary cost, Shell lost something extremely valuable: the trust of its employees. Shell workers are much less likely to remain loyal to a company which isn’t proactive about protecting its internal information.

In order to earn and maintain the trust of its workers, a company needs to employ solutions which are easy to use and keep data secure. Had Shell been using our Alsertsec Xpress computer security software, the company may have avoided the embarrassing security breach and kept its positive reputation among employees. Our software is specifically designed to keep all business parties happy and secure- it encrypts data, making it much more challenging for the others to access it.

Further Reading
Shell investigates posting of personal data [TimesOnline]
Shell security breach reveals employee details[BBC]

SOURCE ARTICLE