Go Phish.
July 29, 2016 11:51 AM   Subscribe

A company I used to work for had a security breach. I don't think they have been handling the situation appropriately and want to know what I can do to protect myself, but to also find out if I can find a complaint (and if this is even a thing).

Something feels very wrong about this situation to me and this might be a dumb question, but I'm wondering what to do and if there is anything greater I can do.

I worked as a permanent full time employee at a consulting firm for about a year (Company A). I was A's employee via W2, and was permanently assigned onsite at a company (Company B). I went to B daily and functioned in a role specific to B but happened to be a contractor from Company A, rather than a full time B employee. This is their resourcing model. I received full Company A benefits.

Several months into the job, Company B had a full time position open to which I directly applied, interviewed against other external positions and was given the job. I resigned as a contractor at Company A and moved into my new full time employee role at Company B. This was perfectly fine, no toes stepped on, it's a actually common occurrence in my industry. Company A has about 90 contractors onsite at Company B and there are 3 other people who did the same thing as me, converting to Company B. I am a full time employee at Company B now. This was a great move for me and I'm really happy. Company A doesn't do a very good job of communicating with their employees and their management was a mess and still is.

Anyway, I came home the other day to a letter in the mail from Company A. It stated that they had a security breach and employee data from 2015 has been compromised. I called their HR hotline number provided in the letter to get more information and was told that an executive in the company received and opened a phishing email and as a result compromised over 14,000 employees' data including social security numbers, payroll information, past salaries and demographic information, and name/address/email/phone numbers/dates of birth. They are offering a protection plan at no cost as a result through Experian.

I did alert my Company B boss to this as she is involved with managing the contract account between the two Companies because I felt it was good for her to know because who knows what else could have been compromised (as in company contract information that I sometimes touch that is classified). It also kind of begs the question about what kind of internal security systems they have in place because they aren't giving any other information on the situation, but I digress.

What I find concerning and would love some advice on is:

1) The letter was the only communication, including within our team working onsite at B. In speaking with a few others at work who converted to full time Company B employees like myself, they shared the same concerns - there was zero communication. There is an onsite Company A manager onsite who manages the Company A contractors and the relationship between the companies and he has not communicated anything. He is also nowhere to be found over the past two weeks. The entire situation feels very much like its being swept under the rug, and this is a pretty serious information breach!

2) Company A collects biometric health information from employees if they voluntarily consent to it, offering healthcare discounts (I did not do this but many do). Could this has been compromised? I asked their HR hotline rep and the response was "I don't know".

3) Do I need to worry about my bank account? This was also given an "I don't know" by the HR rep.

4) Company A is up to go IPO but has a small window where they could be purchased by a venture capital firm in the next few months. Could they be not communicating this information proactively with those of us affected due to not wanting to affect their IPO/VA purchase?

I feel like Company A is being exceptionally dismissive about the seriousness of this. Do I have any recourse beyond protecting my own bank account and enrolling in their protection program, or can I file a complaint? Is this something I could report to the SEC of is this a whistleblowing type situation? I feel like someone needs to say something.

Should I just shut up, butt the hell out and worry about myself?

Thanks smarty MeFis!
posted by anonymous to Law & Government (5 answers total)
Fed gov't employee here, hacked along with millions of others. We got free credit monitoring for 18 months, after some bitching it was extended indefinitely. Good luck but I don't think you'll get much beyond that.
posted by fixedgear at 12:23 PM on July 29, 2016

More than likely they don't know what was taken and are just listing the possibilities, which is normal. That said, you shouldn't be sticking your nose into the relationship between the companies. Take the monitoring and enjoy your new position!
posted by rhizome at 12:28 PM on July 29, 2016 [3 favorites]

If I were you, I'd sign up for the credit monitoring, and talk to your bank about security (if you're really worried I'm sure they can get you a new account number), and then forget about it.

But here are some other things you could consider:
Could they be not communicating this information proactively with those of us affected due to not wanting to affect their IPO/VA purchase?

There is a very good chance that by sending you the letter they did, they have met all of their legal requirements regarding a data breach. Assuming that this is in the US, the laws on data breach notifications are sketchy -- HIPAA may or may not be implicated here, but the HIPAA Notification Rule is a good benchmark for what companies should be doing.

If Company A has more than 500 employees, you may also want to see if they reported the breach to HHS.

If HIPAA is actually implicated (meaning, something relating to healthcare was involved in the breached info, which is likely b/c at the very least the hackers might have gotten your insurance plan info), then maybe you might want to confirm that they are meeting all of the HIPAA requirements.

But think through what is really the worst case here, for you, and what can you do about it?
  • Your bank and credit card companies will help protect you from fraud.
  • But for everything else (for example, if your health records contained info that would hurt you if it got public) there really isn't anything that you can do about it. Which sucks, but whistleblowing and foiling Company A's IPO is not likely to help keep that kind of info secret (in fact, it's more likely to bring it to the fore).
  • And let's face it -- breaches of employee data don't really hurt companies. Not the same way that customer data does (and even then, it has to be juicy customer data...no on cares about Home Depot's breach anywhere near as much as Ashley Madison's

posted by sparklemotion at 12:49 PM on July 29, 2016 [1 favorite]

I'm not sure what else you want them to do. They communicated with you, they provided a hotline. Company B knows (either they did before anyway or because you told them).

I understand you have questions about your bank account (and the banks must be used to this situation by now and have solutions for you) but you are a former employee and you might not know what else they are doing and how they are communicating with their clients, regulators, etc..

I expect they are sorry, I expect they have learned lessons, I expect they wish it would just go away, but they cannot change the past and they seem to have already done what other companies do in this situation.
posted by Xhris at 1:15 PM on July 29, 2016 [3 favorites]

And it's what they'll do the next time it happens, too.
posted by rhizome at 6:59 PM on July 29, 2016

« Older Makers, what to do with extra parts/never...   |   GERD/LPR + beer: does the cancer risk compound? Newer »
This thread is closed to new comments.