Current Staff Get Company Update from Ex-Staff - Rest of Europe/World - Rest of Europe/World

15 Current Staff Get Company Update from Ex-Staff

6 Sep, 2017 11:17

I have a case involved Ex- HR staff (WT) and current employees (CE). I joined my current company 3 months after the ex-HR staff left.

WT knows the sequence of the email setting (inclusive user name and password) for all staff in my current company. We were informed by a staff that he knew lot of current information of the company. By instinct, we started to track trail of web-mail logged in record to my email account and Group GM email account. We found the both our emails were logged in by someone from a some source (same domain). We start to fish for more info and record of his logged in activities and the messengers information from our current staff. We gathered all information and evidences then a police report has been made.

Here come to interesting part, as a humanity approach we called WT to the office and inquiry his motive of doing so. He presented the record of the whatsapp group which involved of 2 our our current employees, CE. Some of the message information were as below:

WT: ( Information such staff resigned, company activities cancelled (which only made known to HOD)... have been revealed by WT to the staff in the whatsapp group

CE to WT: besides this, any breaking news update?

WT to CE: (company information were being updated whenever he got to know from the email)

CE to WT: WT u really need to standby for us..U are our advisor now!

.......

the question is the company wants to dismiss the CE staff involved, and was advised that the DI has to be carried out.

Please do anyone advise me on what charges we can raise from this case?

i.e misconduct by willfully approaching 3rd party to gain company 1st hand information

breach of obligation to inform company WT knows what happening in the company.

what is the next action to be taken?

One of the CE is manager.

Thank you

2576 views

Keith | 0 Posts

6 Sep, 2017 11:32

I am not sure where in the world you are - so my answer is based on UK legislation and practice.

If you can show that the current employees knew that the information they were receiving had been obtained illegally / in an underhand way then potentially you may be able to bring a disciplinary case against them. If this would go as far as gross misconduct is questionable (would I suggest have to show they were complicit in the process/theft). Might lead to a written warning or a FWW at worst

Its would however I think be hard to show that mutual trust and confidence has broken down simply because staff are gossiping with an ex-employee.

There is probably no obligation at all to inform the company that an ex-employee knows what is going in inside the company (and certainly not unless dishonesty could reasonably have been known)

What do you hope to achieve by dismissing staff for gossiping about genuine information? Seems a little over kill to me.
- Cancel
Keith | 0 Posts

6 Sep, 2017 11:36

In reply to Keith:
BTW why on earth does someone in HR know all the email passwords for everyone in the company? That's just asking for problems. Seems as a first step I would be fixing that
- Cancel
Soek Peng Tan | 0 Posts

6 Sep, 2017 11:47

In reply to Keith:
Hi Keith,

the ex-staff admitted his wrong doing and shown us the whatsapp content above which lead him to dig more information from the company emails. From the trailing record and his admission, he has logged onto not only 2 email accounts but more which inclusive of Finance Manager & staff emails.

At 1st we were only suspected, but we send out an "misinformation" email to HOD in regards of the company annual dinner, immediately the next day morning (email was sent at night around 9pm), he texted the group and few of the staff on this matter. This resulted we are pretty sure is him. In one of the emails we stated we have lodged a police report against him and he got to know (with screen shoot of the email content) from our ex-director.

My boss has no trust in CE anymore which both are from the sales team holding the Manager and assistant manager post.

For your 2nd question, yup, that's the default setting which for the initial email set up and seems no one is changing (inclusive me!). I have rectify this and no one know whoever password now.
- Cancel
Keith | 0 Posts

6 Sep, 2017 11:52

In reply to Soek Peng Tan:
The fact that the ex employee has admitted his wrong doing is neither here nor there. He clearly has broken the rules and potentially the law. But hes an ex-employee.

The issue is have your current employees by engaging in gossip with the ex-employee done anything wrong? That's far harder to show. So far I am not sure from what you have said that, if it were me, I would find sufficient a case to bring a disciplinary charge against them , let alone dismissal.

As I said earlier I think you would have to show they knew (in some way) that the information was being obtained illegally (rather than the ex-employee just having a great network)
- Cancel
Soek Peng Tan | 0 Posts

6 Sep, 2017 11:56

In reply to Keith:
Thanks for the advise Keith.

No, we do not have the prove that the staff knew the information was being obtained illegally.
- Cancel
Elizabeth Divver | 0 Posts

6 Sep, 2017 12:03

Would your boss have such a strong reaction if WT had met CE in a pub and this exchange of gossip had occurred in the form of a chat rather than an email exchange? People just do gossip about work.

The more important issue here has been identified by Keith, and that is the lack of security of your ITC. Is your organisation big enough to have an IT Department? If so, they have some questions to answer. I consider it the norm nowadays for work email account passwords to have to be changed around once a month and for passwords to comply with minimum security standards (e.g. not p@ssword or the person's name).
- Cancel
Robey | 0 Posts

6 Sep, 2017 12:18

I'm with the others, I'm afraid. Your boss is chasing the wrong cat in this situation.

The main lesson to learn here is that your data security is rubbish. Not only does HR have access to everyone's password (why??) but those passwords are easy enough to remember that an ex-ee can recall them en masse, *and* it's possible to log on to your company email exchange remotely!

My opinion is you're lucky to have discovered this loophole as a result of nothing worse than an ex-ee gossiping about stuff he found out and not through more serious corporate espionage.

By all means black-list the ex-ee and give the others a warning (although I'm not sure what you'd be warning them about), but attention needs to shift away from the people and towards the IT with urgency. This is especially true if you're in the UK/EU or trading within this region, as the new General Data Protection Regulations will apply to your employees' personal data which you clearly are not protecting adequately. Heaven help you if you also have private clients.
- Cancel
Steven | 0 Posts

6 Sep, 2017 12:58

In reply to Elizabeth Divver:
Elizabeth, as an aside the guidance from the National Cyber Security Centre suggests that regular changes of passwords is not that effective www.ncsc.gov.uk/.../password-guidance-simplifying-your-approach

I do however, completely agree with everyone else, this is a company which really needs to put some effort into adding security to their ICT systems
- Cancel
Elizabeth Divver | 0 Posts

6 Sep, 2017 14:53

In reply to Steven :
Hi Steven

I bow to your expertise. I have no special knowledge on this subject but was citing the sorts of precautions our IT Department has in place and that I see in use elsewhere. My fundamental point is that having these two gossips hung, drawn and quartered will do nothing to correct a massive security failure and the responsibility for that sits elsewhere.
- Cancel
Steven | 0 Posts

6 Sep, 2017 15:12

In reply to Elizabeth Divver:
100% agree with you Elizabeth
- Cancel
Soek Peng Tan | 0 Posts

6 Sep, 2017 17:21

In reply to Steven :
Hi all,
Thanks for pointing out the facts.

The Ex-ee had also logged into the Finance Manager's email. We were not sure what was his motive which he refused to tell when asked. We just worried that the financial information were leaked to the formal director who was involved on the Fraud case with the company. Police Report has been made on this matter. It has been rendered to the legal team for next action.

As for the staff, by knowingly we had logged the police report against ex-ee, they still approached him for information.

The ex-staff left the company 8 months ago and I am with the company for 2 months.

We outsource our IT

By the way, this case happened in Malaysia.
- Cancel
Raj | 0 Posts

6 Sep, 2017 19:27

In reply to Soek Peng Tan:
I was just going to respond there are other implicstions beyond the employment matter especially related to data prvicay issue etc and the ICO (here in the UK) may not view this lightly and the company may be investigated for the breach. But now that you have clarified the incident took place in Malatsia it may be that Malaysian law related to data privacy and employer obligations etc may need to be looked at. Do you have a local Malaysian entity/subsidary or it is branch office of a parent company? Please confirm if the CE and WT are also based in Malaysia and are they or were they (in case of WT) employed by the local entity? Do you have any entity in Europe? Is employee data transferred between Malaysisan entity and the entities in Europe?
- Cancel
Robey | 0 Posts

11 Sep, 2017 10:12

In reply to Steven :

The ultimate pictorial guide to good passwords:
- Cancel
Steve Bridger | 0 Posts

Community Manager

12 Sep, 2017 10:04

In reply to Robey:
Robey - extra points for managing to embed an image into a post. Respect!
- Cancel
Robey | 0 Posts

12 Sep, 2017 12:08

In reply to Steve Bridger:
I've been known to use the HTML editor before now, Steve. ;)
- Cancel