Simon Says – Musings of a Technology CTO

Last week (13th Feb) Shell Oil announced that the personal details of all 170,000 employees and contractors had been leaked to a number of non-Government organizations via email, these included Greenpeace’s American office, Earthrights, Justice in Nigeria Now, Shell Guilty, Friends of the Earth (Netherlands). Also included was the anti-Shell website Royaldutchshellplc.com. The story was well covered in the UK national press.

The list included a limited number of personal addresses.

As those of you who follow data protection law know, from April 6 2010 the Information Commissioners Office (ICO) in the UK will have the power to impose fines of up to £500,000 (raised from the current £5,000 limit) on companies breaching data privacy regulations. The ICO is well aware of this particular incident according to the news article, we’ll have to wait and see whether a fine is imposed.

Stopping malicious activity like this is very hard – data can be leaked through so many vectors – email, copying to sticks, burning to a CD, even printing out the data and physically posting it.

But, all these vectors can be controlled to a high degree using DLP technologies. Printing can be restricted, as can file movements and email transfers. And, even if things “leak” out due to ineffective policy, DLP Forensics can at least give you a chain of evidence to point the finger at exactly who/where the data leaked from.