RBS breach of email security policy exposes staff pay rates

An email accidentally mailed to 800 RBS employees contained the pay rate details of nearly 3,000 RBS contract staff.

An email accidentally sent to employees of RBS has revealed the pay rates of around 3,000 contract staff – some of whom are paid £2,000 a day – causing embarrassment at the state-owned bank, which is shedding thousands of full-time employees.

The email, sent by a staff member of employment agency Hays, which has a contract with RBS to supply temporary staff, went to 800 RBS employees and gave details of the day rates paid to contractors.

The way to stop these types of accidental data loss is with a system that can identify a potential breach by analysing attachments and email content, and alert the user before they send the email.

Terry Greer-King
Check Point

RBS insisted in a written statement that no customer details had been breached, and was unwilling to say if it would continue its contract with Hays following the incident. In a written statement, the bank said: “We are extremely disappointed that confidential personnel data has been shared by one of our suppliers. This is unacceptable and we are taking action to address this issue. No customer information has been compromised."

Hays said that it had been able to recall half the emails before they were opened, and apologised for the mistake, adding that it had launched an internal investigation and promised to review procedures to ensure such an event could not happen again.

"The data included the roles and the pay rates of certain contractors, but did not include any bank account details or national insurance numbers,” a company statement said. "Hays recognises that the correct treatment of data is of the utmost importance and has apologised to RBS for this error. We are taking the unauthorised release of this data extremely seriously and are working with RBS to recover the data from recipients where possible.”

Sending emails to the wrong recipient, or mailing out confidential information by accident, is a common cause of data breaches. According to research conducted by the Ponemon Institute (.pdf) in February 2011 and sponsored by Check Point Software Technologies, 6% of data losses recorded in 800 UK businesses were caused by users sending email to the wrong recipients.

Terry Greer-King, Check Point's UK managing director, said: "It's all too easy for employees to attach the wrong file to an email and send it before realising their mistake.  The way to stop these types of accidental data loss is with a system that can identify a potential breach by analysing attachments and email content, and alert the user before they send the email.”

Dave Crilley, a senior director of channel and international marketing for email security vendor Proofpoint, added that technology can help automate email security policy enforcement, and can be configured to flag up any message that might be in breach of policy.

“A simple email policy enforcer could have prevented this,” he said. “You always want to strike a balance between maintaining high-level productivity and security, but it would have been easy to send a message to the users asking them if they really wanted to send what looked like sensitive information.”

Crilley said it is also easy to prevent another common error: when users send a message to the wrong recipient in a dropdown menu. “It is also possible to ensure that certain types of information only goes to individuals within a certain domain, for example, or is always encrypted,” he said “These types of things can be relatively easily automated. It’s a question of understating the information you hold, and making sure it doesn’t get out into the wild.”

Read more on Data breach incident management and recovery