2018 - The Year of HR Data Theft
In November 2017, a departing Twitter employee deactivated the Twitter account of Donald Trump. It was the last day of the employee.
Data is the new oil
The digital world runs on data. It allows the company to create an offering that is specific to one individual. When you use Google to search for something, the results that show up vary depending on the browser you use, the location and if you have signed in to Google. The data collected from billions of its users allows Google to sell advertisements that are intended to appeal to the individual user.
If data is the new oil, make sure the oil pipe is not leaking.
Breached today, realized much later
The pattern is clear about data breaches. The hackers sneak in to the databases. Since they are in stealth mode, their presence is not detected for months. Could it be that your employees’ data has been compromised and you are blissfully unaware?If you had a Yahoo email account, or have used one of its services like Flickr etc, it is quite likely that it was one of the one billion accounts that were hacked in 2013. It was one of the largest breaches ever. In October 2017, when Verizon, the new owner of Yahoo employed cyber-security professionals to comb through the details of the breach, they found that three billion records were affected. Talking of Verizon, the Phone numbers, names and pin codes of six million Verizon customers were left online for around nine days because of a wrong configuration.Sep 2017, Equifax reported that the personal data of 143 million Americans was breached. Cyber criminals accessed data such as Social Security numbers, birth dates and addresses during the incident. The breach happened on 29th July 2017 but came to light much later.The infamous Target data breach had happened months before it was discovered. The hackers hacked into a supplier’s computer system and then worked their way to the credit card information database.
Employee data can reveal a lot
The Companies (Appointment and Remuneration of Managerial Personnel) Rules make it mandatory for a publicly listed company to declare the salaries of its ten highest paid employees. The Annual Report of a company lists the names of all employees who are paid more than a crore and two lakhs of rupees.This data is public available and is regularly accessed by headhunters, competitors, curious employees and tax authorities. This information could reveal disparities in pay by gender or function.Sony Corp. agreed to pay as much as $8 million to settle claims from employees over the theft of their personal information in a computer hack linked to the release of the controversial movie “The Interview”. In December 2014 when the data got breached, it was alleged that North Korean hackers were to blame. The 2014 Sony hack revealed that women lead actors were routinely paid less than their male leads.
Data about health, psychometric testing etc
Besides compensation related data, there is much more that employee databases can reveal. Data about domestic partners can reveal sexual orientation of employees. Medical records and related information can be prime targets for misuse.Access to data about succession planning can be precious to competitors and search firms alike. Even knowing the pattern of email creation of the company (eg firstname_lastname@companyname.com) can be used by hackers to send phishing documents to all employees. After all they need just one employee to click on the link. I know of an IT giant that uses algorithms to generate emails of new hires. The pattern is changed frequently.Psychometric tests are routinely taken by employees during training programs or when development centers are used to identify high potential employees. It may be worth examining, who can access this data and what checks and balances are in place to prevent leakage and misuse.
Get Started
It may be wise to ask your employer’s HR department what data about you is stored (It is your data, remember). Ask who has access to your data and how it is being protected. Ask if the data is encrypted.
- Where: Where is the data stored? Besides servers, a lot of data resides in individual devices and in paper that is scattered all over.
- Who: An Access matrix will help people decide which roles (not individuals) need access. When the individual moves from that role, access must be revoked immediately.
- How long: Create policies that specify how long after the employee leaves will the data be stored for. What kind of data needs to be stored for compliance and what is the procedure the HR team will follow for the rest of the data.
If you are the influencer in the HR team, then here are a few ideas for you to consider:
- During mergers and acquisitions activity, pay special attention to data security. It is not just the security of the IT systems but also the average employee’s attitude towards data security and privacy that matters.
- Ask for the HR data hubs to be audited for security with the same degree of stringency as you have for access to financial systems.
- Train and certify every employee in the HR team about data security and access. Make rules about access to HR databases through unsecured personal devices. Bring Your Own Devices can add an additional level of challenges to keep your HR data secure.
- Make your data policy known to employees. It is their data. Ask them for ideas about best practices.
- Create day-zero scenarios. Plan how you will react if you got to know that your HR data is available on the web. What is someone wants to use it to expose inconsistencies or even use it to hold you to ransom. Whose help can you take? What does it cost and how long does it take to address such a breach?
If 2018 becomes the year of HR data theft, make sure, you are not the victim.What are some of the best practices that can help protect employee data? Do add your ideas to the mix. Your idea may save someone's data from ending up on the dark web.--------------First Published by People Matters Dec 2017 issueJoin me on Twitter @AbhijitBhaduri