Shell Oil Company contractor accused of fraud
Technorati Tag: Security Breach
Date Reported:
10/03/08
Organization:
Royal Dutch Shell PLC
Contractor/Consultant/Branch:
Shell Oil Company
Location:
Houston, Texas
Victims:
"current and former Shell employees"
Number Affected:
4 (confirmed)
Types of Data:
"names, dates of birth, Social Security numbers and some financial information"
Breach Description:
"Shell has taken steps to notify current and former US employees of a misuse of some employee data. Shell discovered that four of its employees' social security numbers were used to file false unemployment compensation claims with the Texas Workforce Commission (TWC)."
Reference URL:
Shell U.S. Staff Alert
Shell Press Release
MarketWatch
ComputerWorld
Convenience Store News
Report Credit:
Shell Oil Company
Response:
From the online sources cited above:
Shell has become aware that personal information related to a small number of Shell employees has regrettably been obtained and misused.
[Evan] Shell claims a "small number" of employees are affected, but it seems that there is room for doubt.
We believe an employee of a third party vendor, while working on a Shell U.S. database as part of a project, had access to social security numbers (SSN) and used that information to file fraudulent unemployment claims on four of our active employees.
[Evan] I wonder how many Social Security numbers and personal records were accessible by the third party employee. If he/she had access to more records, I don't know how we couldn't consider those compromised as well.
employees’ social security numbers were used to file false unemployment compensation claims with the Texas Workforce Commission (TWC)
Upon discovery of the data misuse in early September 2008, Shell informed the third-party agency and the agency’s employee was removed from Shell premises.
The subsequent investigation has resulted in the termination of the contract with the third-party agency, which was performing a data indexing project for Shell.
[Evan] Shell has declined up to this point to name the third-party agency.
Contract workers and third-party agencies hired for projects of this nature work under confidentiality agreements, and the contract workers are scrutinized via background checks before work begins.
Shell regularly examines all safety and security precautions and is reviewing ways to improve these processes.
[Evan] This is my favorite sentence in the entire statement. It demonstrates Shell's understanding that information security is an ongoing process of improvement.
Shell has informed the four affected employees
The matter is being fully investigated internally and Shell is continuing to work with the Texas Workforce Commission and Harris County law enforcement to investigate this matter.
Since being made aware of this, Shell has conducted an extensive investigation to attempt to ascertain whether additional employee data has been compromised and has found no evidence that it has.
Nonetheless, the Company is required by law to inform you of the possibility, and we are providing this notification pursuant to that requirement.
While at this time Shell has no information that there was any credit card fraud or that any other employees' SSNs, names, dates of birth or financial information was misused by the vendor's employee, we wanted to make you aware of some precautions that you may wish to take.
We realize that notice of this incident may cause you concern and regret the anxiety this kind of situation creates.
Fortunately, there are actions you can take to detect and/or prevent potential future misuse.
The options are:
Again, we regret any concern or anxiety this incident has caused you.
Beginning Monday, October 6, 2008, questions about this matter can be directed to between the hours of 8:00 am to 4:00 pm CST, Monday through Friday.
Commentary:
The issues that raise doubt in my mind that this breach only affects four people:
Past Breaches:
Unknown
Date Reported:10/03/08
Organization:
Royal Dutch Shell PLC
Contractor/Consultant/Branch:
Shell Oil Company
Location:
Houston, Texas
Victims:
"current and former Shell employees"
Number Affected:
4 (confirmed)
Types of Data:
"names, dates of birth, Social Security numbers and some financial information"
Breach Description:
"Shell has taken steps to notify current and former US employees of a misuse of some employee data. Shell discovered that four of its employees' social security numbers were used to file false unemployment compensation claims with the Texas Workforce Commission (TWC)."
Reference URL:
Shell U.S. Staff Alert
Shell Press Release
MarketWatch
ComputerWorld
Convenience Store News
Report Credit:
Shell Oil Company
Response:
From the online sources cited above:
Shell has become aware that personal information related to a small number of Shell employees has regrettably been obtained and misused.
[Evan] Shell claims a "small number" of employees are affected, but it seems that there is room for doubt.
We believe an employee of a third party vendor, while working on a Shell U.S. database as part of a project, had access to social security numbers (SSN) and used that information to file fraudulent unemployment claims on four of our active employees.
[Evan] I wonder how many Social Security numbers and personal records were accessible by the third party employee. If he/she had access to more records, I don't know how we couldn't consider those compromised as well.
employees’ social security numbers were used to file false unemployment compensation claims with the Texas Workforce Commission (TWC)
Upon discovery of the data misuse in early September 2008, Shell informed the third-party agency and the agency’s employee was removed from Shell premises.
The subsequent investigation has resulted in the termination of the contract with the third-party agency, which was performing a data indexing project for Shell.
[Evan] Shell has declined up to this point to name the third-party agency.
Contract workers and third-party agencies hired for projects of this nature work under confidentiality agreements, and the contract workers are scrutinized via background checks before work begins.
Shell regularly examines all safety and security precautions and is reviewing ways to improve these processes.
[Evan] This is my favorite sentence in the entire statement. It demonstrates Shell's understanding that information security is an ongoing process of improvement.
Shell has informed the four affected employees
The matter is being fully investigated internally and Shell is continuing to work with the Texas Workforce Commission and Harris County law enforcement to investigate this matter.
Since being made aware of this, Shell has conducted an extensive investigation to attempt to ascertain whether additional employee data has been compromised and has found no evidence that it has.
Nonetheless, the Company is required by law to inform you of the possibility, and we are providing this notification pursuant to that requirement.
While at this time Shell has no information that there was any credit card fraud or that any other employees' SSNs, names, dates of birth or financial information was misused by the vendor's employee, we wanted to make you aware of some precautions that you may wish to take.
We realize that notice of this incident may cause you concern and regret the anxiety this kind of situation creates.
Fortunately, there are actions you can take to detect and/or prevent potential future misuse.
The options are:
- Reviewing your Credit Reports
- Fraud Security Alert
- Security Freeze
Again, we regret any concern or anxiety this incident has caused you.
Beginning Monday, October 6, 2008, questions about this matter can be directed to between the hours of 8:00 am to 4:00 pm CST, Monday through Friday.
Commentary:
The issues that raise doubt in my mind that this breach only affects four people:
- There is a chance (maybe even likely) that the accused third-party employee had access to more employee records
- The accused third-party employee has demonstrated that he/she is willing to go "the next step" and commit fraud using stolen information
-
In data indexing projects it can be difficult to log access due to the nature of the work
Past Breaches:
Unknown
Posts Atom 1.0
Comments