Shell’s Data Breach: A Security Spill?
This week the BBC reported that someone has disclosed contact details for 170,000 of Shell’s employees world wide. The disclosure comes with a note claiming it is being disclosed by former employees who can’t stand the damage the company is doing to the enviroment. Shell has in turn downplayed the event claiming that the information disclosed does not pose a security risk to its employees since it does not include employee’s addresses.
Following this statement I really hope that such a statement is simply damage control on Shell’s part and that it does not truly believe the statement the company released. Whenever an organization is hit with something like this the implications are enormous and it’s definitely not something to take lightly. While the details published included names and phone numbers for the most part there is no guarantee that whoever perpetrated the leak doesn’t have access to additional information. Furthermore even with such limited information such as name and contact numbers a social engineer can use that information very effectively to infiltrate the organization.
Another thing Shell should definitely be concerned over is, if the attacker managed to get access to this data what else did he manage to get his hands on? How will this affect its workforce? Will the resulting harassment lead to people leaving the company? Will the breach mean that some possible future employees will think twice before the joining the company fearing for their privacy? What about lost business? It is definitely to be expected that some companies will worry about their contractual and financial details being safe with the company! This can lead to lost deals and revenue.
What is definite is that such a breach causes one huge PR nightmare that will not go away by downplaying the breach; downplaying, if anything, will make the situation worst.
As the proverb goes, prevention is better than cure and this was never more so than in the realm of security. Once such a breach occurs the damage is done. Contingencies may limit the damage a little but in any case the resulting fall out is likely to be more expensive than protecting the system in the first place. I am obviously not claiming that Shell didn’t do its best to protect its data, that’s something I do not know and neither do I have a way of knowing. What I am trying to say is that one should do his best to avoid such an unfortunite situation. If one is to believe the disclosed letter, the attack was perpetrated by insiders. While Shell itself is sceptic of this claim it is really not that hard to believe. Time and time again researchers have placed insider threats very high on the security risks organization’s face. Worse yet, often organizations spend the majority of their security budget protecting the inside from the outside and not the inside from itself. One would obviously do very well to remember that in security one loses as soon as the weakest link is compromised and not after the strongest measures fall.
Stories such as this should be an effective cautionary tale of what security is meant to avoid. While investing in end point security, the perimeter and access control might not bring any tangible ROI in the short term, if that one time cost can avoid an unpleasant situation such as this it would have more than paid for itself.
btw, the National Security Agency was recently hacked. Yes hacked! But it was downplayed to the media for obvious shameful reasons. Here’s the link :
http://pinoysecurity.blogspot.com/2010/02/wwwnsagov-hacked.html
Hi IT Ninja, thank you for sharing this with us. I personally haven’t had heard of this event; however, after looking it up it was in fact reported sporadically here and there. Seems like they fell victim to SQL injection.
The thing is that no one is perfectly safe, everybody can get hacked. But I agree with you, downplaying the incident will serve no good purpose. Obviously you don’t need to make a fuss over it either but if you’re a victim of SQL injection then wouldn’t it be better to say that the issue was identified and fixed, rather than it’s no big deal that no data was stolen for example? (Of course you must make sure that you fix the issue before claiming that it is fixed) No one expects you to be perfect but I would worry if I think that a company that I do business with doesn’t see the danger for what it is, and by downplaying these types of incidents that’s what will happen.
Hi Emmanuel, as an ethical hacker (white hat) myself, I do agree that no system is perfectly safe specially on the internet but what simply stunned me the most was the facts behind the NSA attack. The NSA has been on top of security campaigns with its countless press releases but it cannot defend itself against a 8-year old technique that even a techie high-school kid can conduct? And now here’s more, NASA servers “live” vulnerabilities are listed on pinoysecurity too.
Yes I do agree it looks ugly for the NSA to suffer such an attack; however, one must understand that the NSA, just like any other organization is made up of people, lots of them I suspect, and even provided that the NSA does everything exactly as it preaches you still cannot control that one employee who, to cut corners because of tight deadlines or simply because he was still not very experienced, missed some sanitation code in the web application that he was developing and subsequently was unlucky enough that testing missed it as well.
Don’t get me wrong, you’re right, an SQL injection is like one of the most basic things you can ever face! It shouldn’t have slipped the developer and testing should have tried it out and found the flaw.
Let’s hope that events such as these help to educate people and help them grow. Security is a never ending process and a battle with the defender at a disadvantage. The defender needs to think about everything while the attacker needs only find one weakness.