My HR dept leaked some data to a scammer, take any action or ignore?
I'm in some big multinational. I didn't get my salary of last month; thought I'd give it a couple of days. Then HR contacts me, asking whether I really did not get my salary? What turns out:
- someone with some personal email address (which didn't contain any part of my name) contacted HR with my name, asking to change my bank account details
- HR did (!), without at least asking to re-send from the professional mail account, preferably even signed and encrypted (as is nicely integrated in our email solution).
- At pay day, HR transferred the salary to this new bank account
- This scammer contacted them again, saying the salary was not received; could they please transfer it again?
- HR sent them some proof of payment, revealing some data related to me (legal entity of my employer with address, exact salary of that particular month)
- After that, HR thought to probably ask me, at which point the fraud became clear.
What makes me feel bad particularly, is the data related to myself that leaked to this scammer in the process.
What would you do? Simply express how uncomfortable I am with that and forget?
I don't want to 'punish' the HR person that eventually made the mistake. But I also am upset that they leaked this data. This should be told to management. That same HR person might be in cahoots with the scammer?? It also exposes a flaw that if exploited at a high level could scam all the cash in their accounts = all lose jobs.
This exploit exposed a foolish employee as well as an untrained one. In a case like this, escalation should have been done by the HR person. Report it. CC your manager, theirs manager, persons from HR manager, head of HR and someone from finance. Your company also should have DPO and fraud departament - they should also be CCed. It’s not about snitching, it’s about ensuring that processes are reviewed, historical data is reviewed, and ensured nothing similar has happened or is about to happen. OK thanks for sharing your thoughts! Much appreciated.
For now I reported to my direct manager and the HR manager, asking what HR's follow up actions are going to be (suggesting process review / staff refresher on processes, and reporting to fraud department). I expect they may want to keep this small, but let's see. A big multinational should have a fraud dept. immediately inform them of this incident as well as your direct manager.