Shell warns employees of suspected data loss

Oil company Shell has dismissed one of a third-party contractor's workers, under suspicion of misusing employee data.

The employee was engaged in database work, and was removed from US Shell premises when the company learned that the employee could have misappropriated four of its employees' social-security numbers, in order to file fraudulent unemployment claims.

Shell also terminated its contract with the third-party vendor following the suspected incident. The company said it had no information as to whether any credit-card fraud had been perpetrated as a result of the breach, or whether any other employee personal data had been compromised.

The oil giant is "continuing to work with the Texas Workforce Commission and Harris County law enforcement to investigate this matter", Shell said in an employee notification of the incident.

Security analyst Andy Buss, from the firm Canalys, said it was difficult to prevent trusted employees from misusing data, whether they are internal or third-party.

"There's nothing you can do to get rid of all the bad apples," said Buss. "You'll never get around this problem, even with strict digital-rights management. For external [workers], you need to consider why they need access."

Buss said that, to mitigate the threat, companies should put in data-loss prevention or intrusion-detection capabilities to monitor the flow of information over networks. He added that companies looking to mitigate the threat of employees using removable storage devices, such as USB sticks, could physically glue ports, or put a policy in place so only corporate-issued, encrypted sticks could be used.