Jump to content

Disclosing Data Breech to Business - How To?


Recommended Posts

Morning all, long time lurker and all that...

I've got a bit of a situation and I'm curious to get opinions on how to deal with it: I'm currently a network admin for a large enterprise network. I'm responsible for LAN/WAN, firewalls and ever more increasingly, security work. I've always had an interest in security and I've been lucky that I've been able to legitimately incorporate elements of it into my role. HOWEVER, I'm currently job hunting, looking for a skill/responsibility/salary increase...

I've recently applied for a job that is pretty similar to my own, but with more responsibility, and it sounds like a greater emphasis on InfoSec work. Whilst I've been Googling the company in question to try and find out more about them, I've happened across documents that would constitute (under UK law) a breech of the Data Protection Act. I hasten to add that these documents were found with nothing more than Google and some targeted searching - an employee has been using a website that allows company documents to be uploaded, but they are not in any way protected from public viewing. I have not mentioned or passed this on to anyone else, but it includes names, addresses, phone numbers, emails and financials. The flipside of that, is that the employee responsible is easily identifiable, and could potentially wind up in a whole boatful of trouble.

What would you do about it? As a non-employee, would you even bother bringing it to their attention, or just keep quiet instead? Or sit on it in the hope of being invited to interview and being able to present it as an example of why they need my skills? Or just contact the current IT manager and bring it to his attention in the hope of prompting an interview? I'm not interested in disclosing it to the world and prompting a sh*tstorm, but regardless of whether I ever even get the job, it is something that should really NOT be in the public domain.

All thoughts appreciated.

Link to comment
Share on other sites

If you are going for a job there then public disclosure would almost guarantee that you wouldn't get hired.

Personally I would just contact the IT manager or CIO (depending on size of company) and bring it to their attention. I would also make sure that in the communication you send them that you state clearly that you found them when researching the company in preparation for applying for a job. That way it spells out that you weren't trying to find secret stuff, Google just gave it to you.

Link to comment
Share on other sites

Whilst I've been Googling the company in question to try and find out more about them, I've happened across documents that would constitute (under UK law) a breech of the Data Protection Act. I hasten to add that these documents were found with nothing more than Google and some targeted searching - an employee has been using a website that allows company documents to be uploaded, but they are not in any way protected from public viewing.

Who's to say you're the only one? I don't think it would make any difference! Its out there already in cyberspace. This would be a great door opener for just as long as you clearly explain your intentions, in my opinion.

I have not mentioned or passed this on to anyone else, but it includes names, addresses, phone numbers, emails and financials. The flipside of that, is that the employee responsible is easily identifiable, and could potentially wind up in a whole boatful of trouble.

He's going to get canned either way.

Edited by logicalconfusion
Link to comment
Share on other sites

Just as a follow-up to this:

I already had the name of the Head of IT, and I managed to locate his email address as the DNS admin contact. I sent him an email to tell him what I'd found, but without going into specifics. He replied, and I then phoned via the main office number and asked to be put through to him to discuss what I'd discovered. He seemed appreciative and thanked me for letting him know. We didn't discuss the job application any further, and I didn't want to push the issue.

Link to comment
Share on other sites

@CheeseBadger that's so stupid. push the issue? Send him your CV and resume! What do you think he's going to do even if they're not interested? It's not like you're ask him to pet your badger. You're just looking for cheese like the rest of us. I've been to several interviews just so I can meet IT professionals and managers, knowing they're looking for someone else. It's a great way to network! I'm not shy.

Edited by logicalconfusion
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...