An outside IT contractor's employee performing data indexing for Shell Oil at its Houston, Tex. offices stole the social security numbers of four Shell staff and used them to file false claims for unemployment benefit.
The theft was discovered September 4 after the claims were filed with the Texas Workforce Commission (TWC), the state government agency overseeing and providing workforce development services in Texas, Shell spokesperson Robin Lebovitz told InternetNews.com.
Shell, the U.S. subsidiary of Royal Dutch Shell (NYSE: RDS-B), launched an internal investigation and notified the TWC and the Harris County Sherriff's Office, Lebovitz said. The TWC and the Harris County Sheriff's Office did not respond to requests for comment by press time.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iShell only notified employees of the problem in an internal memo on October 10 because "we were conducting our own internal investigation and working with TWC and Harris County investigators in addition to dealing with Hurricane Ike," Lebovitz said.
Shell has notified the employees whose information was stolen and terminated the contract with the company that employed the alleged thief. Although Lebovitz kept referring to that company as an "agency," she would not clarify whether it was a private company or a governmental agency because "the investigation is ongoing," she said.
The victims have been advised that they can check with credit reporting agencies and Shell is continuing to work with the TWC and Harris County to investigate the matter, Lebovitz added.
Shell's internal memo said the company "has no information that there was any credit card fraud or that any other employees' SSNs, names, dates of birth or financial information was misused by the vendor's employee." It has set up a toll-free helpline to handle staff's queries about the incident.
The incident highlights the difficulty of guarding against internal fraud and theft, which results in far more misuse of stolen identities than external theft. "It's the classic case of an insider abusing access to data they have a business reason to have," Mark McClain, CEO of identity risk management technology vendor Sailpoint Technologies, told InternetNews.com.
Because the alleged thief had the right to access the data, monitoring tools may not have seen anything out of the ordinary, McClain added. "You can't assume that technology protects against all risks forever," he explained.