Shell hit by massive data breach
By Richard Thurston,
A database containing contact details of 170,000 workers of oil giant Royal Dutch Shell has been emailed to campaigning groups opposed to the company’s activities.
Seven non-governmental groups – including human rights groups and environmental campaigners such as Greenpeace – plus anti-Shell campaigning website royaldutchshellplc.com received the database details, which is thought to have been sent by a disaffected former employee of the company.
Many of those groups are upset at the way Shell is purported to be operating in some countries, particularly Nigeria.
The database is thought to contain names, telephone numbers and further details on permanent and contract employees. A lengthy covering letter was attached to the database, purporting to be from more than 100 Shell staff.
Shell has demanded that the activists delete the database. Furthermore, it said it has already launched an investigation, and argues that the breach does not pose a security risk. However, it could provide no further comment at the time of publication.
If it is found that Shell is guilty of an offence under the Data Protection Act, it could be fined.
The Information Commissioner’s Office (ICO) – the UK’s data watchdog – said it takes breaches affecting individuals’ personal data “very seriously”.
A spokesperson for the ICO said: “Shell has notified us of a security breach regarding a significant amount of people’s personal details. We are looking into how this data breach occurred and will decide what, if any regulatory action, is required.”
Shell – if it is found guilty – may escape lightly. Fines levied by the ICO for failing to protect against the loss of personal data tend to be under £5,000.
While the data breach may prove costly both financially and in terms of reputation, its timing is ironic. In two months' time, new rules are set to be introduced that may mean companies could be fined up to £500,000 if they are found to be reckless with personal information.
The leaked database is about six months old, implying that ex-employees may have been involved.
Shell cut 5,000 jobs last year.
You may also like...
You may also like...
advertisement
Latest Security Features
The trials and tribulations of social networking
As a business, you may be examining how to take advantage of social networking sites. Before you leap into the fray, take heed of the mistakes others have made before you.
- NO2ID on fighting the database state
- Building a better password
- Q&A: George Kurtz, CTO, McAfee
- Is mobile malware really a risk?
- Fear and loathing in the Mariposa aftermath
- Public vs private: Which cloud is best for business?
- Q&A: Gerhard Eschelbeck, chief technology officer at Webroot
- How the Digital Economy Act will affect your business
- Cyber war: Modern warfare 2.0
Latest Security Reviews
Kaspersky Internet Security 2011 review
Rating: 
- G Data Software EndpointProtection Business review
- eSoft InstaGate 806 review
- M86 Security Secure Web Gateway 5000 review
- Google Maps Navigation review
- Netgear ProSecure UTM10 review
- ZoneAlarm DataLock review
- SmoothWall Guardian SWG-1208 review
- Symantec Backup Exec 2010 review
- WatchGuard XCS-770 review
advertisement
Most popular
- Government calls mobile broadband spectrum auction
- Sony Ericsson Xperia X10 Mini Pro review
- UK web guru handed key to the internet?
- Samsung Galaxy S review
- 100 million Facebook user info scraped
- HTC Hero to finally get Android 2.1 update
- Top 10 remote desktop applications
- Amazon sets UK Kindle launch date
- Head to Head: Office 2010 vs Open Office 3.1
- Top 10 future trends for mobile phones
Latest News Videos in Security
Video: Why security is everybody's responsibility
PlayRik Ferguson, senior security advisor at Trend Micro says it's up to all of us to make security work.
Whitepapers
Want more background on today's hottest IT trends?
Visit IT PRO's whitepaper library for more on virtualisation, encryption and other topics.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Shell hit by a zombie
The data theft experienced by Shell illustrates the importance of access control and ensuring that only authorised users can access networks and the systems attached to them. As with the TK Maxx/TJ Maxx data loss in 2007 and the Cotton Traders data loss in 2008, weak network access controls ultimately lead to sensitive customer data being compromised. This latest incident could have been avoided by implementing and maintaining tight access controls and using strong authentication techniques. Networks – both wired and wireless – must be as secure as current technology allows and inactive ‘zombie’ users should have their IT access deactivated, to avoid disgruntled former workers accessing systems, as well as reducing the number of entry points a criminal could use to gain access to back-office systems. Protecting sensitive corporate and customer data means more than just having a good password policy. Limiting user access to just the applications and repositories they actually need are an important tool to combat unauthorised and malicious data access. By limiting user access privileges, a compromised login will pose less of a threat to the business and limit the damage to mission-critical systems. Stuart Hodkinson, UK general manager, Courion
By Ip_courion3a5e03 on Monday Feb 15
Most Orgs Enjoy "Security" as a Matter of Luck
I think David Scott is right: Most individuals and organizations enjoy Security largely as a matter of luck. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium).
By janice33rpm on Monday Feb 15
Will anyone learn from this?
The questions Shell should be asking now is could this have been prevented? How did they get in? Are those doors now shut? Are processes being updated to make sure similar attacks don’t happen? And finally are their processes being updated to make sure that when this happens again, their disaster team swings in to place with seamless grace? It’s all about being in control and not just wildly trying to put out fires. Find out how it happened, establish the impact of the breach, and re-assure your base that it won’t happen again. The question of course, is how do they get those answers? No matter what happens across applications, databases, operating systems, routers, switches, firewalls, VPNs, and the hundred other devices that makeup the rich, varied and interoperable fabric of your IT backbone, it’s all recorded. There are electronic surveillance cameras everywhere recording the basic facts: the very ‘truth’ of what happened, when, where, and by whom. Systems produce millions of log records every day, by investing in a system that can collect those logs, parse them, deeply understand them, normalise and then correlate the data, they can easily either trace stolen data back through the net to the hole that let it out, or from the hole, run forward to find out what was taken. The logs are the only way you can do this, so it’s important that they respond quickly and get their house in order as those penalty fines are going to be a whole lot bigger very shortly.
By AndyMorris on Monday Feb 15