Anonymous wrote:Personnel information shouldn't be on the public drive, they should be in a locked folder of some kind. But before charging off and accusing, I would simply talk to the owning component and say "hey, I came across these files on the company drive and they were open to everyone. Do you want me to show you how to put access control on the folder/password protect each file'? Half the people I work with are clueless about what is visible where on the drive. THey may have no idea that the files are really open to everyone.

Anonymous wrote:

Anonymous wrote:Personnel information shouldn't be on the public drive, they should be in a locked folder of some kind. But before charging off and accusing, I would simply talk to the owning component and say "hey, I came across these files on the company drive and they were open to everyone. Do you want me to show you how to put access control on the folder/password protect each file'? Half the people I work with are clueless about what is visible where on the drive. THey may have no idea that the files are really open to everyone.

OP here: That's not enough for me for them to just delete/password protect the files I know about. I want assurance that they have performed a thorough scan of their network and removed any and all such files containing my personal information. I wasn't planning on telling them where these files are because that's the only comfort I'll have that they actually made an effort to find all of the files on the system. I really don't think I'm asking for too much, this is HR 101 here and a company of this size should have IT protocols in place to scan and identify flag these type of files on the network. And what about all the other employees affected by this, don't they deserve to know their information has been compromised?

Anonymous wrote:

Anonymous wrote:

Anonymous wrote:Personnel information shouldn't be on the public drive, they should be in a locked folder of some kind. But before charging off and accusing, I would simply talk to the owning component and say "hey, I came across these files on the company drive and they were open to everyone. Do you want me to show you how to put access control on the folder/password protect each file'? Half the people I work with are clueless about what is visible where on the drive. THey may have no idea that the files are really open to everyone.

OP here: That's not enough for me for them to just delete/password protect the files I know about. I want assurance that they have performed a thorough scan of their network and removed any and all such files containing my personal information. I wasn't planning on telling them where these files are because that's the only comfort I'll have that they actually made an effort to find all of the files on the system. I really don't think I'm asking for too much, this is HR 101 here and a company of this size should have IT protocols in place to scan and identify flag these type of files on the network. And what about all the other employees affected by this, don't they deserve to know their information has been compromised?

You sound very angry, and that's not going to get you far with your IT/HR office. I deal with this kind of thing for a government agency, and there's no simple kind of scan you can do to simply find it. The way we lock them down is bunch by bunch. Someone locates one file that needs protecting and then we look for similar files to pull them into an enclave. And also, you're just not as interesting as you think. Most people do not spend loads of time cruising the share drive fishing. Most files never get looked at after being uploaded. So give your firm the benefit and help them help you.

Anonymous wrote:Some of these responses surprise me. Releasing SSNs is a very serious issue. I know in this case they're not released to the general public, but they should not be available to the entire company.

Anonymous wrote:

Anonymous wrote:Some of these responses surprise me. Releasing SSNs is a very serious issue. I know in this case they're not released to the general public, but they should not be available to the entire company.

They shouldn't be, but computer idiots are everywhere. OP needs to point it out to HR and IT and let them do a scrub to take those personnel files out of the company public area. OP seemed in a huge state of panic and anger, though, and seemed to expect there was some kind of magic wand where someone goes in and pushes a magic button that suddenly parses all files and gets only the files with SSNs and moves them immediately, combined with a massive public mea culpa. Too much drama.

Anonymous wrote:

Anonymous wrote:

Anonymous wrote:Some of these responses surprise me. Releasing SSNs is a very serious issue. I know in this case they're not released to the general public, but they should not be available to the entire company.

They shouldn't be, but computer idiots are everywhere. OP needs to point it out to HR and IT and let them do a scrub to take those personnel files out of the company public area. OP seemed in a huge state of panic and anger, though, and seemed to expect there was some kind of magic wand where someone goes in and pushes a magic button that suddenly parses all files and gets only the files with SSNs and moves them immediately, combined with a massive public mea culpa. Too much drama.

+1.

Honestly, SSNs are everywhere anyway. Your doctors office, your credit cards, your mortgage, your auto loan, your cell phone company, your kids school, etc. And not just now: every loan youve ever had, every job youve ever had, every cell phone company, your old university, probably your high school, your landlord 10 years ago, etc. To say hundreds - perhaps thousands - of people have had access to it at one point or another is accurate.

Tell your firm, but don't kid yourself into thinking you are remotely protected. And don't do the "I won't tell tem about this folder" bullshit so you can go wag a bony finger at them in a week like a 10 year old.