This week the BBC reported that someone has disclosed contact details for 170,000 of Shell’s employees world wide. The disclosure comes with a note claiming it is being disclosed by former employees who can’t stand the damage the company is doing to the enviroment.  Shell has in turn downplayed the event claiming that the information disclosed does not pose a security risk to its employees since it does not include employee’s addresses.

Following this statement I really hope that such a statement is simply damage control on Shell’s part and that it does not truly believe the statement the company released. Whenever an organization is hit with something like this the implications are enormous and it’s definitely not something to take lightly. While the details published included names and phone numbers for the most part there is no guarantee that whoever perpetrated the leak doesn’t have access to additional information. Furthermore even with such limited information such as name and contact numbers a social engineer can use that information very effectively to infiltrate the organization.

Another thing Shell should definitely be concerned over is, if the attacker managed to get access to this data what else did he manage to get his hands on? How will this affect its workforce?  Will the resulting harassment lead to people leaving the company? Will the breach mean that some possible future employees will think twice before the joining the company fearing for their privacy? What about lost business? It is definitely to be expected that some companies will worry about their contractual and financial details being safe with the company! This can lead to lost deals and revenue.

What is definite is that such a breach causes one huge PR nightmare that will not go away by downplaying the breach; downplaying,  if anything, will make the situation worst.

As the proverb goes, prevention is better than cure and this was never more so than in the realm of security.  Once such a breach occurs the damage is done. Contingencies may limit the damage a little but in any case the resulting fall out is likely to be more expensive than protecting the system in the first place. I am obviously not claiming that Shell didn’t do its best to protect its data, that’s something I do not know and neither do I have a way of knowing. What I am trying to say is that one should do his best to avoid such an unfortunite situation. If one is to believe the disclosed letter, the attack was perpetrated by insiders. While Shell itself is sceptic of this claim it is really not that hard to believe.  Time and time again researchers have placed insider threats very high on the security risks organization’s face.  Worse yet, often organizations spend the majority of their security budget protecting the inside from the outside and not the inside from itself.  One would obviously do very well to remember that in security one loses as soon as the weakest link is compromised and not after the strongest measures fall.

Stories such as this should be an effective cautionary tale of what security is meant to avoid. While investing in end point security, the perimeter and access control might not bring any tangible ROI in the short term, if that one time cost can avoid an unpleasant situation such as this it would have more than paid for itself.