Anonymous wrote:

Anonymous wrote:

Anonymous wrote:Some of these responses surprise me. Releasing SSNs is a very serious issue. I know in this case they're not released to the general public, but they should not be available to the entire company.

They shouldn't be, but computer idiots are everywhere. OP needs to point it out to HR and IT and let them do a scrub to take those personnel files out of the company public area. OP seemed in a huge state of panic and anger, though, and seemed to expect there was some kind of magic wand where someone goes in and pushes a magic button that suddenly parses all files and gets only the files with SSNs and moves them immediately, combined with a massive public mea culpa. Too much drama.

+1.

Honestly, SSNs are everywhere anyway. Your doctors office, your credit cards, your mortgage, your auto loan, your cell phone company, your kids school, etc. And not just now: every loan youve ever had, every job youve ever had, every cell phone company, your old university, probably your high school, your landlord 10 years ago, etc. To say hundreds - perhaps thousands - of people have had access to it at one point or another is accurate.

Tell your firm, but don't kid yourself into thinking you are remotely protected. And don't do the "I won't tell tem about this folder" bullshit so you can go wag a bony finger at them in a week like a 10 year old.

OP here: It seems that my initial frustration was based upon an incorrect understanding of (1) how these files work and (2) that it's much more reliant on human compliance than technology, so point taken. The few times I've read about data issues (veterans affairs awhile ago, SEC somewhat recently) it seemed like a huge thing in those situations so in my limited experience it is...apparently that's also not correct. Oh well, picked up an attitude adjustment at the store today so I'm ready to square this away in a constructive manner tomorrow morning. Thanks for the input folks.

Anonymous wrote:

Anonymous wrote:Some of these responses surprise me. Releasing SSNs is a very serious issue. I know in this case they're not released to the general public, but they should not be available to the entire company.

They shouldn't be, but computer idiots are everywhere. OP needs to point it out to HR and IT and let them do a scrub to take those personnel files out of the company public area. OP seemed in a huge state of panic and anger, though, and seemed to expect there was some kind of magic wand where someone goes in and pushes a magic button that suddenly parses all files and gets only the files with SSNs and moves them immediately, combined with a massive public mea culpa. Too much drama.

+1.

Honestly, SSNs are everywhere anyway. Your doctors office, your credit cards, your mortgage, your auto loan, your cell phone company, your kids school, etc. And not just now: every loan youve ever had, every job youve ever had, every cell phone company, your old university, probably your high school, your landlord 10 years ago, etc. To say hundreds - perhaps thousands - of people have had access to it at one point or another is accurate.

Tell your firm, but don't kid yourself into thinking you are remotely protected. And don't do the "I won't tell tem about this folder" bullshit so you can go wag a bony finger at them in a week like a 10 year old.

I am not OP, but have you ever had your identity stolen?

No? Then shut the fuck up.

Anonymous wrote:Some of these responses surprise me. Releasing SSNs is a very serious issue. I know in this case they're not released to the general public, but they should not be available to the entire company.

They shouldn't be, but computer idiots are everywhere. OP needs to point it out to HR and IT and let them do a scrub to take those personnel files out of the company public area. OP seemed in a huge state of panic and anger, though, and seemed to expect there was some kind of magic wand where someone goes in and pushes a magic button that suddenly parses all files and gets only the files with SSNs and moves them immediately, combined with a massive public mea culpa. Too much drama.

Some of these responses surprise me. Releasing SSNs is a very serious issue. I know in this case they're not released to the general public, but they should not be available to the entire company.

Contact the privacy officer at your company and that individual will (should) intercede on your behalf.

Just report it so they can fix it. Not sure why you are stewing about it instead of helping fix the problem. Shit happens. If you make a huge stink, you will become the troublemaker. No one expects hr to be all that smart.

Anonymous wrote:

Anonymous wrote:

Anonymous wrote:Personnel information shouldn't be on the public drive, they should be in a locked folder of some kind. But before charging off and accusing, I would simply talk to the owning component and say "hey, I came across these files on the company drive and they were open to everyone. Do you want me to show you how to put access control on the folder/password protect each file'? Half the people I work with are clueless about what is visible where on the drive. THey may have no idea that the files are really open to everyone.

OP here: That's not enough for me for them to just delete/password protect the files I know about. I want assurance that they have performed a thorough scan of their network and removed any and all such files containing my personal information. I wasn't planning on telling them where these files are because that's the only comfort I'll have that they actually made an effort to find all of the files on the system. I really don't think I'm asking for too much, this is HR 101 here and a company of this size should have IT protocols in place to scan and identify flag these type of files on the network. And what about all the other employees affected by this, don't they deserve to know their information has been compromised?

You sound very angry, and that's not going to get you far with your IT/HR office. I deal with this kind of thing for a government agency, and there's no simple kind of scan you can do to simply find it. The way we lock them down is bunch by bunch. Someone locates one file that needs protecting and then we look for similar files to pull them into an enclave. And also, you're just not as interesting as you think. Most people do not spend loads of time cruising the share drive fishing. Most files never get looked at after being uploaded. So give your firm the benefit and help them help you.

OP here: I don't think it's unreasonable for me to be unhappy about it. Obviously I'm not going to make a scene to HR/IT about it because it's not their fault another employee was careless. I do agree there's little chance anyone at my company would access the files and an extremely small chance they'd do anything malicious with the data so I take some comfort there. Re: the scan, I think just searching my last name, SSN, and DoB will net most of the files.

Anonymous wrote:

Anonymous wrote:Personnel information shouldn't be on the public drive, they should be in a locked folder of some kind. But before charging off and accusing, I would simply talk to the owning component and say "hey, I came across these files on the company drive and they were open to everyone. Do you want me to show you how to put access control on the folder/password protect each file'? Half the people I work with are clueless about what is visible where on the drive. THey may have no idea that the files are really open to everyone.

OP here: That's not enough for me for them to just delete/password protect the files I know about. I want assurance that they have performed a thorough scan of their network and removed any and all such files containing my personal information. I wasn't planning on telling them where these files are because that's the only comfort I'll have that they actually made an effort to find all of the files on the system. I really don't think I'm asking for too much, this is HR 101 here and a company of this size should have IT protocols in place to scan and identify flag these type of files on the network. And what about all the other employees affected by this, don't they deserve to know their information has been compromised?

You sound very angry, and that's not going to get you far with your IT/HR office. I deal with this kind of thing for a government agency, and there's no simple kind of scan you can do to simply find it. The way we lock them down is bunch by bunch. Someone locates one file that needs protecting and then we look for similar files to pull them into an enclave. And also, you're just not as interesting as you think. Most people do not spend loads of time cruising the share drive fishing. Most files never get looked at after being uploaded. So give your firm the benefit and help them help you.

How big of a firm? Tell your IT staff.

Anonymous wrote:Personnel information shouldn't be on the public drive, they should be in a locked folder of some kind. But before charging off and accusing, I would simply talk to the owning component and say "hey, I came across these files on the company drive and they were open to everyone. Do you want me to show you how to put access control on the folder/password protect each file'? Half the people I work with are clueless about what is visible where on the drive. THey may have no idea that the files are really open to everyone.

OP here: That's not enough for me for them to just delete/password protect the files I know about. I want assurance that they have performed a thorough scan of their network and removed any and all such files containing my personal information. I wasn't planning on telling them where these files are because that's the only comfort I'll have that they actually made an effort to find all of the files on the system. I really don't think I'm asking for too much, this is HR 101 here and a company of this size should have IT protocols in place to scan and identify flag these type of files on the network. And what about all the other employees affected by this, don't they deserve to know their information has been compromised?

Personnel information shouldn't be on the public drive, they should be in a locked folder of some kind. But before charging off and accusing, I would simply talk to the owning component and say "hey, I came across these files on the company drive and they were open to everyone. Do you want me to show you how to put access control on the folder/password protect each file'? Half the people I work with are clueless about what is visible where on the drive. THey may have no idea that the files are really open to everyone.

The other day I happened upon several documents containing my personal information (SSN, DoB, etc.) that were located on the firm's public drive. There were other files with the names of other employees and, while I did not access these files, I assume based on the title and location of the files they contain similar information as the files with my name on it. I'm not trying to make a big thing about it but at the same time I'm furious that information is accessible by all of the employees at my firm. Practically speaking, how do I resolve this and how do I allay concerns that (1) my personal information is located on other sections of the firm intranet that I just haven't found yet (2) elevated risk for identity theft and (3) obviously inadequate safeguards to prevent and subsequently identify disclosure of this information?