Tuesday 16 February 2010

The disgruntled worker turned activist

This week brings news of a data breach at Royal Dutch Shell affecting 170,000 workers at the global oil company. From published reports, the database is thought to contain names, telephone numbers and additional details for both permanent and contract employees. The database is also believed to be about six months old.

What makes this breach unique and points to its likely being from a disgruntled insider is that the database was mailed to groups that have had contentious relations with Royal Dutch Shell. The recipients of the database allegedly include Greenpeace and other non-governmental groups that have protested Shell’s activities.

Last year, Shell cut 5,000 jobs and reduced IT Contractor pay by 12 percent. Many data thefts occur during a time of staff reductions or low morale, when individuals are more likely to “strike back” at the company. While we don’t know the exact details, it would appear that this insider or insiders attempted to put Shell at a disadvantage by giving detailed, proprietary information that could be used immediately against the company.

This type of “revenge breach” has been on the rise during the past few years, given the tumultuous global economic climate, and we expect these types of breaches to continue.

Ironically, if it is found guilty of not properly storing data, Shell could be fined by the UK Information Commissioner’s Office. Currently, these fines have a maximum amount of £5,000. These fines, however, are set to increase to up to £500,000 in two months, so Shell’s breach comes as a reminder to all companies to secure data from the inside out -- as well as from the outside coming in!