In December last year, like many others in my company and across the world, I was made redundant. It’s quite the thing these days, and the change in lifestyle brings with it a raft of advantages. One such is making new friends and influencing people at the Department for Work and Pensions (DWP).
The last time I signed on the rock’n’roll, the Department of Health and Social Security obliged one to queue for hours at one of its dark, satanic mills every fortnight. This was undertaken under the pernicious gaze of misanthropic civil servants who gave every impression of hankering for unemployment themselves, in preference to dirtying their hands with the hoi polloi.
These days, however, while the bi-weekly signing ritual remains, the offices are pleasantly bright and airy (although the guilty-pleasure letterbox-plop of the subsequent giro has disappeared), and several DWP employees will swoop on the lost-looking first-timer to enquire if they may be of assistance. The spongers and scroungers of yesteryear are now ‘customers’. Customers’ names are called, if not exactly with the deferential warmth of a maître d' greeting a valued customer, then at least with the recognition of one belonging to a common species hailing another. My Customer Services Advisor, a courteous and friendly young lady, greeted me by name, shook my hand and explained how things work at the social these days.
In one of those weird reversals of terms one often stumbles across now the public sector models itself on the private sector, the unemployment game is, thanks to the recession, a massive growth sector. Just as a private company might spend to increase profit during a boom, so the DWP’s budget and remit has been expanded to meet the influx of ‘customers’. (A word of warning: it is to invite a headache to imagine the nightmarish balance sheet on which the decrease in costs to the state incurred by benefit payments can be expressed as a profit to justify this increased spending.)
One of the ways the DWP has diversified its operation is in partnering with private-sector employment consultants. The recession, my Customer Services Advisor told me, had emphatically changed the role of the DWP in ways for which it had not been designed. Before, she explained, when a newly redundant plumber (for example) walked through the door, the jobcentre would give said plumber whatever benefits were deemed necessary until an employer needing a plumber was found, whereupon the DWP would pack him a sandwich and an apple and wave a hanky from the doorway, brushing away a tear as he toddled off to his first day back at work (I paraphrase).
In these post-credit-crunch days it’s all different, said the Customer Services Advisor. People who have spent decades toiling away with job titles requiring a PhD in Applied Cleverness to understand have come a cropper in the recession, and this has presented a whole different ball game. Hence the very sensible decision by the DWP to outsource work dealing with white-collar recruitment to private-sector companies with more experience in the field.
In a momentary lapse of judgement, the Customer Services Advisor asked if I was interested in such a referral. I jumped at the chance. As part of my redundancy package, my former employer had packed me off to an employment agency specialising in ‘career counselling’ - which I had thoroughly enjoyed - and I was eager to repeat the experience.
(The basic deal is this: you potter along, they ask you what your plans are, you tell them and they spend a few hours telling you, in a number of different and ever ego-expanding ways, how brilliant the rest of your life will turn out. There’s a bit more to it than that, but those are the salient points. Seriously, after the first time, I hit the pub feeling a million dollars. It is of course an illusory, fleeting experience, but people pay serious money to achieve that buzz of elation - usually through illicit means - so if the opportunity comes along for free and it’s legal, I say one should grasp it with both hands.)
As it turned out, (as is usually the case), I couldn’t achieve the same high as the first time. Nonetheless, I wouln’t poo-poo it by any means. The agency to which the DWP sent me, May and Stephens, were the epitome of professional courtesy, my consultant an extremely bright and creative person who knew a lot about my field, and I retired to the Fuller’s pub down the road for an ESB if not with the high of before, at least with a sense of quiet confidence and industry. I knew from before that it probably wouldn’t last long, but wallowed without reserve while it lasted.
However, not long after my visit to the DWP and subsequent excursion to May and Stephens, I found myself the target of emails from shadowy characters who somehow knew I had recently been made unemployed, purporting to represent companies offering me employment on the strength of my CV - the fly in the ointment being that I hadn’t then had the time to send out my CV.
They were, by the standards of other phishing operations I’ve seen, a bit clumsy, but that’s not to understate the seriousness of this kind of cyberfraud. Exact figures are difficult to come by, (cybercrime is under-reported), but it is thought that in 2005, criminals netted £23.2m through phishing scams in the UK alone.
The inscrutable Gary Hall, for example, sent me word that EPS – presumably the courier company, although a quick look at Google also suggests the European Physical Society, Environmental Property Services or possibly (and much, much more enticingly!) the Experimental Psychology Society – had in mind for me a highly desirable, if slightly mysterious career:
Our company EPS is pleased to offer you a well-paid part-time job.
Location : United Kingdom
If you are interested, please reply to : email@example.com with your short resume.
Mr Willie Jones, purporting to represent container logistics company Tarros, was more effusive, while getting to the point straight away:
We have found and reviewed your CV and decided to offer this job to you.
Supply Department Agent.
Receiving, checking quality of the packages, sorting packages according to zip code and/or town name, shipping out packages to our clients with your local postal service (working with shipping labels).
For candidates interested in reviewing our current opportunities, the following are the basic requirements:
- UK Citizens.
- Should not be below 21 years of age.
- Ability to receive day time mail and packages.
- Can dedicate at least 2-3 work hours/day.
- With a working e-mail address and a telephone access.
If you are interested, please reply to : firstname.lastname@example.org with your short resume.
Tarros Europe Group
A shame, then, that a quick Google search showed this also to be a scam.
So how could these people know that I had recently been made redundant, and where had they got my email address from? The two obvious suspects were the DWP and May and Stephens, given they were both directly involved with my recent change in employment circumstances, and both had just received personal data relating to this, including my email address.
At first, and without a scrap of evidence, I cast the gaze of suspicion towards the DWP. Given the string of public-sector data security breaches in recent years, it is perhaps natural – if unfair – to suspect first the people whose salaries depend not on competence and performance, but continued support from the public purse. However, a recent incident gave me leave to reconsider who might be playing fast and loose with my personal data, when I received a round-robin email from May and Stephens, displaying to each of about seven hundred or so recipients everyone else’s email address.
With the near-universality of phishing activity, (I don’t know one person with an email account who hasn’t received some sort of cybercrime bait), this is serious enough in itself. But there is a broader principle which is of greater concern: If such organisations - which, by dint of the nature of their business, hold large amounts of confidential, personal data - do not see the need to train staff adequately in the most basic of office IT applications, such as email, to protect this data, what reason can there be to presume they take any more rigorous and technical measures to observe the requirements of the Data Protection Act, such as shoring up security on their servers where wider-reaching and more sensitive confidential personal information is held? How is data transferred, and using what encryption methods?
Here is the ‘reply all’ I sent to May and Stephens, as well as the other addressees (whose details, incidentally, I have deleted from my system):
Dear Mr Vincent.
Thank you for your recent email, thanks to which I now have the email addresses of around seven hundred of your clients. To someone less principled, an extensive list of the confirmed personal email addresses of six or seven hundred white-collar workers, who have recently sought the services of an agency offering job search consultations, could offer all sorts of lucrative avenues.
Not least of which might be phishing scams purporting to originate from legitimate companies offering employment possibilities. Funnily enough, I myself have been on the receiving end of such phishing attempts, shortly after handing my personal data to May and Stephens.
However, just in case one of your clients does take exception (I have blind-copied all 700 or so of them in on this email, as well as several other agencies who might take an interest), in your place I would take pre-emptive action. This might, for example, include alerting your company lawyer (assuming you have one) that there has been a significant data breach.
You might also care to peruse the Data Protection Act 1998 at your leisure (http://tiny.cc/DPAbreach) and consider whether, besides the legal issues, protecting clients' personal data might or might not constitute one of the most basic requirements of professionalism in a recruitment company - which necessarily holds much confidential personal data about its clients - such as May and Stephens.
I would be most interested to hear your thoughts on the matter. Indeed, if any of the other recipients of this email would care to comment, I have posted the whole story on a blog, http://methuselahsdiary.blogspot.com, feel free to leave your thoughts in the comments section, I’m sure we’d all be most interested!
On a brighter note, isn't this delightful weather we've been enjoying recently?
I remain your obedient servant,
Right of reply
Long before sending that, I did approach the managing director of May and Stephens, Jackie May, by phone and by email, to allow her to give her side of the story. I asked her a number of specific questions:
1. How important does May and Stephens regard the protection of the confidential data it holds about clients and partners?
2. Has May and Stephens' attitude toward data protection evolved in recent years?
3. Did the public sector data protection scandals in 2008 and 2009 cause May and Stephens to revisit its data security policies?
4. Is data security an IT issue or an HR issue?
5. Does May and Stephens hold any data security training for staff?
All of which, I thought, were fairly pertinent to May and Stephens’ data breach and its implications.
Alas, no reply was forthcoming (I took care to hold back from posting this to give Ms. May a reasonable amount of time in which to reply). What did come, however - the very next day - was another email from the hapless Mr Vincent:
Thank you for all your replies.
Please accept our deepest apologies for the mistake made in the previous email. I can assure you that it won't happen again. Thank you for your cooperation.
Now I’m guessing that the phrase ‘thank you for all your replies’ has a story of its own to tell (‘it won't happen again’), and I might not have been the only one with a grumble. I’d be delighted to see your opinions in the comments box, whether it be from fellow breachees, or from a representative of May and Stephens (come on Jackie!) who might like to share with us their thoughts on ‘the mistake’ or just from anyone with a view on data protection.
I would like to assure everyone that after I sent those emails, I completely deleted all traces of your digital data, including email addresses, from my system. If you are worried about having been made vulnerable to phishing attacks, there are a number of online resources:
Information Commissioner’s Office
Anti-Phishing Working Group
Microsoft Online Safety
Bank Safe Online
Phishing attack: how to avoid becoming a victim
National Consumer League’s Internet Fraud Watch
How Phishing Scams Work
What is phishing?
FAQ: Recognising phishing emails
There is also a wide range of commercial identity protection software products available.
On the plus side, however, every opinion poll this morning seems to suggest a hung parliament on Friday, meaning we’ve got months, possibly years more of this interminable election stuff banging on and on and on in the papers, on the internet, radio and telly. Hurrah!
data act, privacy and data protection, data protection 1998, data protection act 1998, data protection legislation, legislation act, data protection, protection data, data protection training, data controller, access to information, access to files, breach data security, data breaches, data breach protection, threats security, plan security, best practices security, phishing scam, email phishing scams, phishing email scams, report phishing scam, dwp, dwp uk, dwp jobs, dwp benefits, dwp benefit, dwp work, dwp contact, dwp website, May and Stephens, the recruitment agency, recruitment agency, recruitment agencies, staff recruitment agency, recruitment agencies uk