back to article Seagate sued by its own staff for leaking personal info to identity thieves

Seagate is trying to fight off a lawsuit filed by employees whose personal information was lost when the storage giant was hit with a phishing attack. The company is in the midst of a hearing over whether the aggrieved workers have grounds to sue their employer for negligence after someone in human resources was duped into …

  1. Mark 85

    One can only hope that some precedent will be set and other companies will beef up their security and procedures. Spend the damn money on training and security you stupid execs. Your employees don't need this crap. Nor do your customers.

    I'm surprised that the crims are even continuing these efforts as probably they already have everyone's info out there on the dark forums for sale anyway.

    1. I Like Heckling Silver badge

      The only way any company will take security and data privacy/protection seriously is to make them financially responsible for it's loss.

      At a minimum all companies who suffer data breaches, be it via phishing/malware/hacking should be forced to immediately disclose to all who's data has been compromised with mandatory fines for each person and a paid for subscription to services to resolve any issues that arise from the data loss... so that's fraud detection services, accountants/lawyers to deal with anything else and anything else that I've not thought of... like time wasted dealing with it, stress, anxiety and so forth.

      1. Anonymous Coward
        Anonymous Coward

        Corporate fines == useless

        "The only way any company will take security and data privacy/protection seriously is to make them financially responsible for it's loss."

        No. Absolutely no.

        While the only penalty is a financial penalty on the corporation, nothing will improve (applies to data protection and everytthing else). Such penalties just become a routine cost of doing business (see e.g. Ford Pinto). Costs will simply be passed on, typically to customers, staff, etc. There will be no visible impact on company culture or company execs.

        If the people allegedly personally responsible for company success (the ones who get personal megabonuses when things go well) were also held personally responsible for company failures, that would be a start.

        1. Anonymous Coward
          Anonymous Coward

          Re: Corporate fines == useless

          Company to employees: You won't be getting a salary increase for the next 3 years as we're spending it on beefing up IT security.

          Not exactly a punishment.

        2. a_yank_lurker

          Re: Corporate fines == useless

          Hold someone the C-suite PHBs criminally responsible for their incompetence might do the trick.

        3. Paul Renault

          Re: Corporate fines == useless

          I agree, those who are rewarded with performance/target bonuses are viewed by the company as responsible. But, as much research has shown, that personal fines, much like corporate fines, don't really change behaviour. If you really want to get their attention, you need to put people in jail.

        4. Arctic fox

          Re: Corporate fines == useless

          I entirely agree that fines they can simply regard as a business cost are indeed useless. Perhaps the answer is to make the board of directors personally liable and make it a criminal offence to in any way compensate them for the fines they would have to pay.

  2. Baldy50

    Any company or government body whomever it is that holds peoples personal information has to be responsible for it's theft IMHO and must be accountable by law.

    It would be the only way to wake them up and take security seriously at the risk of losing a pot load of money.

    When easily avoidable data breaches occur the penalty should as high as possible including the perpetrator, that being the idiot that clicked on an e mail attachment FFS, sack the numpty.

    If a store gets robbed and you'd delivered goods to that store the day before, who owes you the money for the goods the thieves or the store?

    1. dajames

      When easily avoidable data breaches occur the penalty should as high as possible including the perpetrator, that being the idiot that clicked on an e mail attachment FFS, sack the numpty.

      It might be better to find out whether the "numpty" has ever had any computer security awareness training, and if not to sack the person who should have arranged such training for them.

  3. Jamie Jones Silver badge
    Stop

    No

    The only people to blame are the banks and other financial institutions. How they got us to accept liability when *they* give away our money, is beyond me.

    Mitchell and Webb said it perfectly (audio only vid): http://www.youtube.com/watch?v=CS9ptA3Ya9E

    See als the comments on Schneier's blog: https://www.schneier.com/blog/archives/2008/07/funny_radio_ski.html

  4. Richard 12 Silver badge

    The data wasn't stolen

    It was given away.

    - At least, that's the allegation.

    HR handed over the private data to an unknown party. There was no break-in, they simply said "We want it" and HR handed it over.

    Therefore Seagate are 100% completely liable for this. No ifs, buts or maybes.

    It's no different to someone crashing their parked car because they forgot to put on the handbrake. They screwed up by making a pretty stupid mistake, and they are liable.

    1. Anonymous Coward
      Anonymous Coward

      Re: The data wasn't stolen

      That's not the problem I foresee, rather it is the actual damages incurred by the employees who's information was breached. And since no one has been able to quantify those damages, it's extremely likely that Seagate will skate at least for the class action suit. Individual lawsuits alleging actual quantifiable to date damages will work just fine, IMNSHO and IANAL.

      Now if I were on the jury, well let's say that credit monitoring for life would be the statutory damage made whole and then see how much punitive damages you can hang on top. That just might, really might get some attention when it hits the bottom line, or worse, it hits any insurance they might have laying around. Workplace safety was really driven by them way back when. Business couldn't be bothered about safety.

      1. Doctor Syntax Silver badge

        Re: The data wasn't stolen

        "Workplace safety was really driven by them way back when."

        Maybe in the US. In other places there is legislation which was driven, at least in part, by media reporting of disasters. e.g. https://en.wikipedia.org/wiki/Huskar_Colliery

      2. DaLo

        Re: The data wasn't stolen

        "credit monitoring for life"

        Off Topic, but your post made me think about it. Why isn't a Credit Monitoring free for everyone anyway? It is your data that is being traded by credit monitoring services, it seems right that a simple free way of being alerted whenever a request for your data is made should be mandatory as part of the licence for setting up a credit referencing company.

        It's not a technologically complex task, a simple e-mail/sms/automated call every time a credit search is done and it could cut fraud significantly. You'd be able to stop that fake card being set up or a loan being taken out in your name and the savings to the loan company would pay for a small increase in credit search costs.

        In fact extend it further and state that whenever your personal information is sold/passed on you have to be notified. Therefore, even if you've check the "I want marketing" box you could be notified every time that data is sold on. Whenever the DVLA send on your driver details you could be alerted - even better still allow you 48 hours to contest it.

  5. PiltdownMan

    Even Human Remains (HR) are only human!

    Even Human Remains (HR) departments are only human!

    1. Anonymous Coward
      Anonymous Coward

      Re: Even Human Remains (HR) are only human!

      "Even Human Remains (HR) departments are only human!"

      Only barely.

      Most are outsourced (and often to the lowest bidder) as well. Small wonder stuff like this happens.

  6. Crazy Operations Guy
    Devil

    Gives me an idea for an evil law firm

    Improperly receive a bunch of W-2s from a company, extort the company into paying to keep silent on the loss, then when they stop pay, using the information to impersonate the victims of the data loss and launch a class-action suit against the company...

    1. Anonymous Coward
      Anonymous Coward

      Re: Gives me an idea for an evil law firm

      You forgot also using all the details to send letters offering identity theft protection to all those who you have the details to.

  7. Winkypop Silver badge
    FAIL

    HR departments

    A law unto themselves run by bright young things.

  8. Mk4

    Personal data needs to be personal property

    I've made this point a few times on El Reg comments sections. The problem is the starting point in all disputes regarding personal data, it is dealt with in the same way as all other kinds of data, but personal data is special. The Seagate employees are having to show that seagate was at fault, it is a similar story in all situations where personal data is deleted, given away, stolen, not available for discovery, etc..

    Data relating to individuals should be the legal property of those individuals. It should be created, copied, modified, accessed and destroyed in the same legal framework as would physical goods.

    There can be other legal provisions to make execs responsible for the proper treatment of personal data, but the starting point would be for Seagate as a corporation to be facing a criminal investigation for the loss of the personal property (of thousands of staff) that it held in trust.

  9. Anonymous Coward
    Anonymous Coward

    Hit Us Too

    Same thing happened to our firm this year.

    Someone in HR got an email form what she thought was one of our execs asking for info on every employee (we have about 15,000).

    No repercussions for the employee.

    I believe the reasoning was that she was trying to do her job - and I understand that reasoning.

    Credit monitoring, etc provided by the company.

    And afterward: simple safeguards put in place - and that is where I have a problem.

    Why weren't they in place before? IT security in too many firms means fixing problems when it is too late. There was nothing new, novel or or unpreventable from an IT standpoint about this data breach - it should never have happened.. And this exact type of breach had been well publicized, even the subject of a Wall Street Journal column.

  10. zen1

    Over my career, I've know of only one universal truth:

    A company's security is only as good as it's most retarded user. And while the upper management & HR types target all security policies and procedures for the worker bees, in the trenches, fact is, some of the most prolific offenders are those in the upper echelon.

    I don't know how many times I've been approached by an executive, demanding unrestricted access to the internet, and much to my boss's dismay, I will drag my feet and attempt to explain why this always isn't the best idea. When doesn't work, which for most of the higher grade folks doesn't, I explain how the corporate network isn't a democracy, especially in our line of business. They charged my department safeguarding the information, our equipment and our user community, which is a responsibility I take extremely seriously and very personally. And after getting caught up in the US government's OPM debacle, I've come to the conclusion that I would rather be fired by an executive for being a hard ass than being too lax and irresponsible.

    So, when I hear about unfortunate situations like this, it makes me furious that the corporation attempts to shirk all responsibility and liability. At the very minimum they should pay for several years of credit record and identity fraud detection. Then they should help minimize the liability to any employees who've been victimized by identity fraud.

    1. Medixstiff

      Re: Over my career, I've know of only one universal truth:

      "A company's security is only as good as it's most retarded user. And while the upper management & HR types target all security policies and procedures for the worker bees, in the trenches, fact is, some of the most prolific offenders are those in the upper echelon."

      That sums it all up right there, I've had countless "discussions" with senior Manglers over why we don't allow Admin privileges outside of IT staff and how it's usually Manglers that are the most likely to be targeted in an organisation.

      For those that don't believe me, I point to an article about one of the Directors in the last place I worked and how he "decided" to take a sabbatical from IT.

      I then tell them the truth about his situation and that tends to put them in their place, along with the wrath of the CEO - which they've all felt at one time - if a breach occurred and it pointed to them as the culprit.

  11. Anonymous Coward
    Anonymous Coward

    I hope they

    achieve more success than the employees of Morrisons, who after a data breach a few years ago, as means of recompense they were "generously" given a years worth of free "Experian Credit" checking...

  12. raving angry loony

    Sad

    It's really sad that they had to sue rather than Seagate admitting they fucked up and doing the right thing, which is completely protecting and compensating their own employees for the inevitable deluge of identity theft, scams, and other frauds perpetrated using this leaked data.

    It's time the directors of these corporations saw the corporate protection veil lifted and started getting close and personal attention for the incompetence they bring to data protection in their domains. Only when people are held personally accountable will anything improve. Any "corporate" level enforcement is useless, failure just becomes part of the cost of doing business. Because it's ALWAYS failure, since actually stopping this invariably costs more than hiring a few lawyers or bribing a minister or six to fast-talk their way out of any meaningful penalties.

  13. stilespj

    TWO crimes

    Someone sent a phishing e-mail to Seagate asking for ...

    The first crime.

    Someone at Seagate, grossly incompetent, neglectful, or whatever you want to label it, did not perform due diligence and gave the phishers what they asked for.

    The second crime.

    It took BOTH crimes to get to where these Seagate employees are now.

    Seagate would be well advised to settle out of court. They do not need to further advertise how incompetent they are in the area of personal employee information. Nor do they need to further demonstrate how little respect they have for their employees.

    I've worked at places where there have been security intrusions. The employers have always been pro-active and have, at least, paid for security monitoring for everyone that was potentially affected.

    What have you done, Seagate, for your employees?

  14. adam payne

    "Plaintiffs seek to hold Seagate responsible for harm allegedly caused by third-party criminals," Seagate claims."

    Seagate may not be responsible for what others do with the data but the criminals wouldn't have had the data if it hadn't been given to them. Seagate gave them the details so they are liable for damages they have caused.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like