UPDATED: An IT contractor’s employee performing data indexing for Shell Oil at its Houston, Tex. offices stole the social security numbers of four Shell staff and used them to file false claims for unemployment benefit.
The theft was discovered Sept. 4 after the claims were filed with the Texas Workforce Commission (TWC), the state government agency overseeing and providing workforce development services in Texas, Shell spokesperson Robin Lebovitz told InternetNews.com.
Shell, the U.S. subsidiary of Royal Dutch Shell (NYSE: RDS-B), launched an internal investigation and notified the TWC and the Harris County Sherriff’s Office, Lebovitz said. The TWC and the Harris County Sheriff’s Office did not respond to requests for comment by press time.
Shell only notified employees of the problem in an internal memo on Oct. 3 because “we were conducting our own internal investigation and working with TWC and Harris County investigators in addition to dealing with Hurricane Ike,” Lebovitz said.
Shell has notified the employees whose information was stolen and terminated the contract with the company that employed the alleged thief. Although Lebovitz kept referring to that company as an “agency,” she would not clarify whether it was a private company or a governmental agency because “the investigation is ongoing,” she said.
The victims have been advised that they can check with credit reporting agencies and Shell is continuing to work with the TWC and Harris County to investigate the matter, Lebovitz added.
Shell’s internal memo said the company “has no information that there was any credit card fraud or that any other employees’ SSNs, names, dates of birth or financial information was misused by the vendor’s employee.” It has set up a toll-free helpline to handle staff’s queries about the incident.
The incident highlights the difficulty of guarding against internal fraud and theft, which results in far more misuse of stolen identities than external theft. “It’s the classic case of an insider abusing access to data they have a business reason to have,” Mark McClain, CEO of identity risk management technology vendor Sailpoint Technologies, told InternetNews.com.
Because the alleged thief had the right to access the data, monitoring tools may not have seen anything out of the ordinary, McClain added. “You can’t assume that technology protects against all risks forever,” he explained.
However, McClain said that, because of the very limited amount of data stolen, Shell “probably had done all the right things and the most this person could do is probably hand copy some information.”
The data theft may lead to some unintended fallout in that it may render Shell vulnerable to accusations of non-compliance. The Sarbanes-Oxley Act
McClain warned that risk can never be eliminated; it can only be “managed, contained and prioritized.” That’s in line with the thinking of most security experts, who contend that risk management is now an essential part of information security.
“In some ways, it’s good news that only four people were compromised, because it shows Shell did a good job of constraining the risk,” McClain said.
Update corrects the date Shell issued its memo