nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Seagate sued by its own staff for leaking personal info to identity thieves

Silver badge

One can only hope that some precedent will be set and other companies will beef up their security and procedures. Spend the damn money on training and security you stupid execs. Your employees don't need this crap. Nor do your customers.

I'm surprised that the crims are even continuing these efforts as probably they already have everyone's info out there on the dark forums for sale anyway.

31
0

The only way any company will take security and data privacy/protection seriously is to make them financially responsible for it's loss.

At a minimum all companies who suffer data breaches, be it via phishing/malware/hacking should be forced to immediately disclose to all who's data has been compromised with mandatory fines for each person and a paid for subscription to services to resolve any issues that arise from the data loss... so that's fraud detection services, accountants/lawyers to deal with anything else and anything else that I've not thought of... like time wasted dealing with it, stress, anxiety and so forth.

23
0
Anonymous Coward

Corporate fines == useless

"The only way any company will take security and data privacy/protection seriously is to make them financially responsible for it's loss."

No. Absolutely no.

While the only penalty is a financial penalty on the corporation, nothing will improve (applies to data protection and everytthing else). Such penalties just become a routine cost of doing business (see e.g. Ford Pinto). Costs will simply be passed on, typically to customers, staff, etc. There will be no visible impact on company culture or company execs.

If the people allegedly personally responsible for company success (the ones who get personal megabonuses when things go well) were also held personally responsible for company failures, that would be a start.

31
2
Anonymous Coward

Re: Corporate fines == useless

Company to employees: You won't be getting a salary increase for the next 3 years as we're spending it on beefing up IT security.

Not exactly a punishment.

1
0
Silver badge

Re: Corporate fines == useless

Hold someone the C-suite PHBs criminally responsible for their incompetence might do the trick.

8
0

Re: Corporate fines == useless

I agree, those who are rewarded with performance/target bonuses are viewed by the company as responsible. But, as much research has shown, that personal fines, much like corporate fines, don't really change behaviour. If you really want to get their attention, you need to put people in jail.

5
0
Silver badge

Re: Corporate fines == useless

I entirely agree that fines they can simply regard as a business cost are indeed useless. Perhaps the answer is to make the board of directors personally liable and make it a criminal offence to in any way compensate them for the fines they would have to pay.

0
0
Bronze badge

Any company or government body whomever it is that holds peoples personal information has to be responsible for it's theft IMHO and must be accountable by law.

It would be the only way to wake them up and take security seriously at the risk of losing a pot load of money.

When easily avoidable data breaches occur the penalty should as high as possible including the perpetrator, that being the idiot that clicked on an e mail attachment FFS, sack the numpty.

If a store gets robbed and you'd delivered goods to that store the day before, who owes you the money for the goods the thieves or the store?

18
0
Silver badge

When easily avoidable data breaches occur the penalty should as high as possible including the perpetrator, that being the idiot that clicked on an e mail attachment FFS, sack the numpty.

It might be better to find out whether the "numpty" has ever had any computer security awareness training, and if not to sack the person who should have arranged such training for them.

5
0
Silver badge
Stop

No

The only people to blame are the banks and other financial institutions. How they got us to accept liability when *they* give away our money, is beyond me.

Mitchell and Webb said it perfectly (audio only vid): http://www.youtube.com/watch?v=CS9ptA3Ya9E

See als the comments on Schneier's blog: https://www.schneier.com/blog/archives/2008/07/funny_radio_ski.html

3
2
Silver badge

The data wasn't stolen

It was given away.

- At least, that's the allegation.

HR handed over the private data to an unknown party. There was no break-in, they simply said "We want it" and HR handed it over.

Therefore Seagate are 100% completely liable for this. No ifs, buts or maybes.

It's no different to someone crashing their parked car because they forgot to put on the handbrake. They screwed up by making a pretty stupid mistake, and they are liable.

17
0
Silver badge

Re: The data wasn't stolen

That's not the problem I foresee, rather it is the actual damages incurred by the employees who's information was breached. And since no one has been able to quantify those damages, it's extremely likely that Seagate will skate at least for the class action suit. Individual lawsuits alleging actual quantifiable to date damages will work just fine, IMNSHO and IANAL.

Now if I were on the jury, well let's say that credit monitoring for life would be the statutory damage made whole and then see how much punitive damages you can hang on top. That just might, really might get some attention when it hits the bottom line, or worse, it hits any insurance they might have laying around. Workplace safety was really driven by them way back when. Business couldn't be bothered about safety.

6
1
Silver badge

Re: The data wasn't stolen

"Workplace safety was really driven by them way back when."

Maybe in the US. In other places there is legislation which was driven, at least in part, by media reporting of disasters. e.g. https://en.wikipedia.org/wiki/Huskar_Colliery

1
0
Silver badge

Re: The data wasn't stolen

"credit monitoring for life"

Off Topic, but your post made me think about it. Why isn't a Credit Monitoring free for everyone anyway? It is your data that is being traded by credit monitoring services, it seems right that a simple free way of being alerted whenever a request for your data is made should be mandatory as part of the licence for setting up a credit referencing company.

It's not a technologically complex task, a simple e-mail/sms/automated call every time a credit search is done and it could cut fraud significantly. You'd be able to stop that fake card being set up or a loan being taken out in your name and the savings to the loan company would pay for a small increase in credit search costs.

In fact extend it further and state that whenever your personal information is sold/passed on you have to be notified. Therefore, even if you've check the "I want marketing" box you could be notified every time that data is sold on. Whenever the DVLA send on your driver details you could be alerted - even better still allow you 48 hours to contest it.

0
0

Even Human Remains (HR) are only human!

Even Human Remains (HR) departments are only human!

1
0
Anonymous Coward

Re: Even Human Remains (HR) are only human!

"Even Human Remains (HR) departments are only human!"

Only barely.

Most are outsourced (and often to the lowest bidder) as well. Small wonder stuff like this happens.

0
0
Silver badge
Devil

Gives me an idea for an evil law firm

Improperly receive a bunch of W-2s from a company, extort the company into paying to keep silent on the loss, then when they stop pay, using the information to impersonate the victims of the data loss and launch a class-action suit against the company...

2
0
Anonymous Coward

Re: Gives me an idea for an evil law firm

You forgot also using all the details to send letters offering identity theft protection to all those who you have the details to.

1
0
Silver badge
FAIL

HR departments

A law unto themselves run by bright young things.

2
0
Mk4

Personal data needs to be personal property

I've made this point a few times on El Reg comments sections. The problem is the starting point in all disputes regarding personal data, it is dealt with in the same way as all other kinds of data, but personal data is special. The Seagate employees are having to show that seagate was at fault, it is a similar story in all situations where personal data is deleted, given away, stolen, not available for discovery, etc..

Data relating to individuals should be the legal property of those individuals. It should be created, copied, modified, accessed and destroyed in the same legal framework as would physical goods.

There can be other legal provisions to make execs responsible for the proper treatment of personal data, but the starting point would be for Seagate as a corporation to be facing a criminal investigation for the loss of the personal property (of thousands of staff) that it held in trust.

6
0
Silver badge

Hit Us Too

Same thing happened to our firm this year.

Someone in HR got an email form what she thought was one of our execs asking for info on every employee (we have about 15,000).

No repercussions for the employee.

I believe the reasoning was that she was trying to do her job - and I understand that reasoning.

Credit monitoring, etc provided by the company.

And afterward: simple safeguards put in place - and that is where I have a problem.

Why weren't they in place before? IT security in too many firms means fixing problems when it is too late. There was nothing new, novel or or unpreventable from an IT standpoint about this data breach - it should never have happened.. And this exact type of breach had been well publicized, even the subject of a Wall Street Journal column.

2
0

Over my career, I've know of only one universal truth:

A company's security is only as good as it's most retarded user. And while the upper management & HR types target all security policies and procedures for the worker bees, in the trenches, fact is, some of the most prolific offenders are those in the upper echelon.

I don't know how many times I've been approached by an executive, demanding unrestricted access to the internet, and much to my boss's dismay, I will drag my feet and attempt to explain why this always isn't the best idea. When doesn't work, which for most of the higher grade folks doesn't, I explain how the corporate network isn't a democracy, especially in our line of business. They charged my department safeguarding the information, our equipment and our user community, which is a responsibility I take extremely seriously and very personally. And after getting caught up in the US government's OPM debacle, I've come to the conclusion that I would rather be fired by an executive for being a hard ass than being too lax and irresponsible.

So, when I hear about unfortunate situations like this, it makes me furious that the corporation attempts to shirk all responsibility and liability. At the very minimum they should pay for several years of credit record and identity fraud detection. Then they should help minimize the liability to any employees who've been victimized by identity fraud.

3
0

Re: Over my career, I've know of only one universal truth:

"A company's security is only as good as it's most retarded user. And while the upper management & HR types target all security policies and procedures for the worker bees, in the trenches, fact is, some of the most prolific offenders are those in the upper echelon."

That sums it all up right there, I've had countless "discussions" with senior Manglers over why we don't allow Admin privileges outside of IT staff and how it's usually Manglers that are the most likely to be targeted in an organisation.

For those that don't believe me, I point to an article about one of the Directors in the last place I worked and how he "decided" to take a sabbatical from IT.

I then tell them the truth about his situation and that tends to put them in their place, along with the wrath of the CEO - which they've all felt at one time - if a breach occurred and it pointed to them as the culprit.

0
0
Silver badge

I hope they

achieve more success than the employees of Morrisons, who after a data breach a few years ago, as means of recompense they were "generously" given a years worth of free "Experian Credit" checking...

0
0

Sad

It's really sad that they had to sue rather than Seagate admitting they fucked up and doing the right thing, which is completely protecting and compensating their own employees for the inevitable deluge of identity theft, scams, and other frauds perpetrated using this leaked data.

It's time the directors of these corporations saw the corporate protection veil lifted and started getting close and personal attention for the incompetence they bring to data protection in their domains. Only when people are held personally accountable will anything improve. Any "corporate" level enforcement is useless, failure just becomes part of the cost of doing business. Because it's ALWAYS failure, since actually stopping this invariably costs more than hiring a few lawyers or bribing a minister or six to fast-talk their way out of any meaningful penalties.

2
0

TWO crimes

Someone sent a phishing e-mail to Seagate asking for ...

The first crime.

Someone at Seagate, grossly incompetent, neglectful, or whatever you want to label it, did not perform due diligence and gave the phishers what they asked for.

The second crime.

It took BOTH crimes to get to where these Seagate employees are now.

Seagate would be well advised to settle out of court. They do not need to further advertise how incompetent they are in the area of personal employee information. Nor do they need to further demonstrate how little respect they have for their employees.

I've worked at places where there have been security intrusions. The employers have always been pro-active and have, at least, paid for security monitoring for everyone that was potentially affected.

What have you done, Seagate, for your employees?

0
0
Silver badge

"Plaintiffs seek to hold Seagate responsible for harm allegedly caused by third-party criminals," Seagate claims."

Seagate may not be responsible for what others do with the data but the criminals wouldn't have had the data if it hadn't been given to them. Seagate gave them the details so they are liable for damages they have caused.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing