WingNews logo WingNews
top | item 34624799

My HR dept leaked some data to a scammer, take any action or ignore?

1 points| pthr | 3 years ago

I'm in some big multinational. I didn't get my salary of last month; thought I'd give it a couple of days. Then HR contacts me, asking whether I really did not get my salary? What turns out:

  - someone with some personal email address (which didn't contain any part of my name) contacted HR with my name, asking to change my bank account details
  - HR did (!), without at least asking to re-send from the professional mail account, preferably even signed and encrypted (as is nicely integrated in our email solution).
  - At pay day, HR transferred the salary to this new bank account
  - This scammer contacted them again, saying the salary was not  received; could they please transfer it again?
  - HR sent them some proof of payment, revealing some data related to me (legal entity of my employer with address, exact salary of that particular month)
  - After that, HR thought to probably ask me, at which point the fraud became clear.
HR tells me they'll transfer the salary 'soon', so I'll be kind to them and give them a couple of days.

What makes me feel bad particularly, is the data related to myself that leaked to this scammer in the process.

What would you do? Simply express how uncomfortable I am with that and forget?

I don't want to 'punish' the HR person that eventually made the mistake. But I also am upset that they leaked this data.

4 comments

order

aurizon|3 years ago

This should be told to management. That same HR person might be in cahoots with the scammer?? It also exposes a flaw that if exploited at a high level could scam all the cash in their accounts = all lose jobs. This exploit exposed a foolish employee as well as an untrained one. In a case like this, escalation should have been done by the HR person.

red_Seashell_32|3 years ago

Report it. CC your manager, theirs manager, persons from HR manager, head of HR and someone from finance. Your company also should have DPO and fraud departament - they should also be CCed.

It’s not about snitching, it’s about ensuring that processes are reviewed, historical data is reviewed, and ensured nothing similar has happened or is about to happen.

pthr|3 years ago

OK thanks for sharing your thoughts! Much appreciated. For now I reported to my direct manager and the HR manager, asking what HR's follow up actions are going to be (suggesting process review / staff refresher on processes, and reporting to fraud department). I expect they may want to keep this small, but let's see.

pettycashstash2|3 years ago

A big multinational should have a fraud dept. immediately inform them of this incident as well as your direct manager.