A call to the Texas Workforce Commission by a Shell Oil employee whose Social Security number had been stolen kicked off an investigation that led to the discovery of the alleged thief.
The suspect, an IT contractor’s employee performing data indexing for Shell at the oil company’s Houston, Tex. offices, is accused of stealing the Social Security numbers of four Shell employees, and later using them to file false claims for unemployment benefits.
The breach marked the latest indication of the potential threat posed by inside jobs when it comes to data security — an increasingly important area of focus for security vendors and their enterprise customers. In the Shell case, however, much of the credit for initially uncovering the theft goes to one of the victims, officials said.
“The call came to our fraud hotline from a woman who worked for the Shell Trading division of Shell Oil,” said Ann Hatchitt, a spokesperson for TWC, the state agency overseeing and providing workforce development services in Texas.
“We received the information from the fraud hotline on July 10 and looked into it, and let Shell know that we suspected a situation,” Hatchitt told InternetNews.com.
When anyone files an unemployment insurance claim with the TWC, the commission contacts the employer to confirm when that person left that company.
In this case, when Shell went through its files, it “found that the person who had called in was still working for them, and they started to investigate how that happened,” Hatchitt said. Shell then discovered that there were other victims, and “notified us over a period of months as the claims came in.”
Hatchitt said that the investigations showed false initial unemployment insurance claims were made between May 11 and Sept. 21, using the four victims’ social security numbers.
TWC is investigating the matter together with the Harris County Sheriff and with Shell, Hatchitt added.
Shell, the U.S. subsidiary of Royal Dutch Shell (NYSE: RDS-B), only notified employees of the problem in an internal memo on Oct. 3, well after it discovered the first theft. The company said it had delayed sending the notification because it had been conducting its own internal investigation, liaising with the investigators from the TWC and the Harris County Sheriff’s Office, and dealing with Hurricane Ike, Shell spokesperson Robin Lebovitz has said.
The identity theft victims have been advised that they can check with credit reporting agencies, and Shell has terminated the contract with the company that employed the alleged thief, it has said.
This incident supports the findings of a study conducted in late 2007 by ID Analytics, which discovered that internal data thieves were worse than those outside the corporate firewall. The study found that from 3 percent to 36 percent of identities stolen by internal data thieves were misused, compared to only 0.01 to 0.5 percent of identities stolen in external data breaches.
However, external data breaches, like the TJX credit card scandal, get far more play because in many cases, they have typically involved far more victims.
While a combination of role-based identity management, and process and policy management could help to prevent internal staff and contractors from accessing off-limits information or applications, it is almost impossible to prevent someone from stealing data they already have the right to access, said Mark McClain, CEO of identity risk management technology vendor Sailpoint Technologies.