Shell has been hit by a massive data breach - the contact database for 176,000 staff and contractors at the firm has been copied and forwarded to lobbyists and activists opposed to the company. John Donovan, an activist who received the database, said he had voluntarily destroyed the files. But he warned that other copies were …
Is it technically a "breach"?
If the information was nicked by someone who had legitimate access to it, is it really a "breach"?
I suppose it depends on what you're saying has been breached... the confidentiality of the data (yes), or the security system protecting it (possibly no, if it turns out it was an inside job).
(I'm not sure of the answer, just interested in people's opinions)
It's not the "breach" that's important here
Shell is probably right about the impact this time; sounds like someone lifted the company phone book. That would not a good reason to bring the ICO down on Shell.
The information in a typical phone book is not too useful in and of itself, but it might be leveraged for targeted attacks. And like most company phone books, it won't have been thoroughly nailed down in the first place. There really is no reason why it should and plenty of reason why it would be impractical.
Which brings us to the point that the most important thing here, for Shell, is the 162 people that collectively are supposedly behind this action. No mistake, Shell is a big company, but that's still a a bit of a bunch of people taking action.
.... database for 176,000 staff and contractors ....
.... The email supposedly comes from 176 "concerned staff" ....
Is the number 176 significant here? Probably mere coincidence methinks, but curious anyhow.
The Dept of the Bleeding Obvious has its IT Say ...... a MisSpeaks, naturally.
"The company played down the security implications of the loss - it is phone and email details rather than real-world addresses."
FFS ... what more does a body need, and who do they think they are fooling, other than themselves, to be playing down the security implications of the loss.
"But if hackers have got access to Shell's systems then they might have more mischief planned."
Wow, Sherlock, are you sure?
Sounds like some idiot inside Shell downloaded the Outlook address book.
Shell have invested a lot of money in Nigeria and have directly contributed to the construction of roads, schools, education programmes for children and adults, and direct employment of huge numbers of local staff. The list goes on.
If people are unhappy about what is happening in Nigeria, they should look to the corrupt cabal that runs the country, not Shell, or any of the other oil companies (ENI etc) that are there.
I feel sorry for Shell on this one. I know many people that work at the Dyce office. All good honest people.
It only takes one idiot to screw it up for everyone...
Companies must keep on top of all user accounts, not just current users
The data theft experienced by Shell illustrates the importance of access control and ensuring that only authorised users can access networks and the systems attached to them.
As with the TK Maxx/TJ Maxx data loss in 2007 and the Cotton Traders data loss in 2008, weak network access controls ultimately lead to sensitive customer data being compromised. This latest incident could have been avoided by implementing and maintaining tight access controls and using strong authentication techniques.
Networks – both wired and wireless – must be as secure as current technology allows and inactive ‘zombie’ users should have their IT access deactivated, to avoid disgruntled former workers accessing systems, as well as reducing the number of entry points a criminal could use to gain access to back-office systems.
Protecting sensitive corporate and customer data means more than just having a good password policy. Limiting user access to just the applications and repositories they actually need are an important tool to combat unauthorised and malicious data access. By limiting user access privileges, a compromised login will pose less of a threat to the business and limit the damage to mission-critical systems.
Stuart Hodkinson, UK general manager for Courion
Preaching to the converted on this forum aren't we? Or just banging your own drum?
More than likely an inside job, how many people do you think have read access to a corporate outlook directory? Should they? Do you really think any of the measures you bleat on about will have any effect other than breaking communication links within the corporate body?
Jeez, time to re-learn intranet security 101 methinks.
There's no practical way to prevent someone with an ordinary domain account from pulling a copy of the full GAL (global address list, NOT "the internal phonebook" as suggested up-thread.) Obviously it's not great to have names and email addresses leak, but it's not the end of the world either. They might be used for some social engineering attacks ("Hi Esmerelda, it's Martin Davis from IT here, could you pls reset your password to "123456", just for the next 10 minutes?" ) .
It can also be done by a bog-standard driveby download compromise, the spambot herders often use compromised corporate machines to dump the GAL for use as a list of spam targets.
Will be interested to see how big a slap on the wrist they get from the Information Commissioner dude. Token £5K fine and a "be more careful in future" is my bet.
"rogue campaign group within Shell" hahah thats a bit OTT isn't it? too much 24 this weekend lads?
Sounds like a disgruntled worker swiped the company GAL and distributed it.
I would have expected an external attack would have done a lot more damage.
Will anyone learn from this?
The questions Shell should be asking now is could this have been prevented? How did they get in? Are those doors now shut? Are processes being updated to make sure similar attacks don’t happen? And finally are their processes being updated to make sure that when this happens again, their disaster team swings in to place with seamless grace?
It’s all about being in control and not just wildly trying to put out fires. Find out how it happened, establish the impact of the breach, and re-assure your base that it won’t happen again. The question of course, is how do they get those answers?
No matter what happens across applications, databases, operating systems, routers, switches, firewalls, VPNs, and the hundred other devices that makeup the rich, varied and interoperable fabric of your IT backbone, it’s all recorded. There are electronic surveillance cameras everywhere recording the basic facts: the very ‘truth’ of what happened, when, where, and by whom. Systems produce millions of log records every day, by investing in a system that can collect those logs, parse them, deeply understand them, normalise and then correlate the data, they can easily either trace stolen data back through the net to the hole that let it out, or from the hole, run forward to find out what was taken. The logs are the only way you can do this, so it’s important that they respond quickly and get their house in order as those penalty fines are going to be a whole lot bigger very shortly.