In light of the recent Equifax hack that has left than 100 million Americans along with some Brits and Canadians nervously wondering when and if they’ll be identity-theft victims, allow me to share a story from my distant past.
Many years ago, while working at a consulting house, my boss stopped by my desk with a CD in his hand. A prospective client whom I’ll call Flighty HR Lady had given him an Access database and asked for his thoughts as to whether or not it was something worth using, so he turned it over to me to take a look.
I opened it up and was immediately appalled at what I saw.
Inside was a detailed listing of several hundred employees that included dates of birth, social insurance numbers and driver’s license numbers. Everything a growing identity thief needs to know. No security. No encryption.
I reported my findings to my boss, who then told me that the database I had just seen wasn’t the entire personnel file of Flighty HR Lady’s employer. It was the entire personnel file of her former employer.
So, in summary, Flighty HR Lady, a certified human resource professional who today is the proprietor of her own HR consulting business and trains others in her field, took personnel files she no longer had any right to access, let alone possess, and blindly turned them over to a third party.
Let that sink in.
I then asked my boss, “Is Flighty HR Lady aware she could be charged for this?” He brushed it off as a case of extreme naïveté, but something tells me the Mounties wouldn’t have been quite so forgiving.
Not to diminish the impact of external hacks, such as what apparently happened in the Equifax case and other high-profile security breaches, but the moral of the story is that people like Flighty HR Lady can compromise your personal information just as easily as any hacker. As I’ve often discussed with colleagues past and present, the internal threat to an organization’s data is, in fact, often much greater than anything external.