The World Bank's Data Breach, And Its Sorry Follow-Up - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // CIO Insights & Innovation
Commentary
1/12/2009
12:49 PM
Bob Evans
Bob Evans
Commentary
50%
50%

The World Bank's Data Breach, And Its Sorry Follow-Up

The World Bank (annual IT budget about $250 million) has been hit by a range of data breaches, at least one of which involved info belonging to staffers. So a corporate guy overseeing IT has sent a flaccid memo to the whole organization. Take a look at the memo and ask yourself if it will make World Bank employees feel better -- or want to quit.

The World Bank (annual IT budget about $250 million) has been hit by a range of data breaches, at least one of which involved info belonging to staffers. So a corporate guy overseeing IT has sent a flaccid memo to the whole organization. Take a look at the memo and ask yourself if it will make World Bank employees feel better -- or want to quit.In a way, I feel a bit uncomfortable highlighting the impact of a data breach because in the past few years we've all seen the massive efforts organized crime, savvy individuals, and even ham-handed employees have made in trying to steal information from financial organizations. And when those hacks are successful, Lord knows there is more than enough blame to go around.

But this particular memo from the World Bank big shot, posted on the Web site of the Government Accountability Project, presents a level of detachment and arrogance that deserves to be called out. Look at the following excerpts from Managing Director Juan José Daboub's memo -- based on his message, does anybody out there think that Daboub was one of the World Bank employees whose information was exposed?

"Surveillance has also identified an inadvertent posting of confidential information on an externally accessible server by a Bank Staff member. The information included names and bank accounts for a number of staff members, but no other personal information.... The Credit Union has already taken precautions to monitor unusual activity on all affected accounts. Nonetheless, the WBG will provide affected staff with free credit-monitoring service, identify theft assistance, and other support.... All affected staff will by now have been notified by e-mail."

OK, so let's review: the exposed information includes names and bank-account numbers, but Daboub says that's OK because "no other personal information" was released -- well, heck, if that doesn't make you feel better, what will? Next, Daboub crows a bit in saying that the Credit Union is on the case with a promise to "monitor unusual activity on all affected accounts." Now, call me whiny, but isn't that a fairly common practice that any financial institution, let alone one affiliated with the esteemed World Bank, would have made a standard practice starting about 10 years ago?

And then Daboub, reaching once more into his deep bag of condescending remarks, says, "Nonetheless, the WBG will provide affected staff with free credit-monitoring service, identify theft assistance, and other support." You gotta love the word "Nonetheless" at the beginning of that sentence, where the real point of his message shows through: how much more do you sniveling little whiners expect us to do for you??

Plus, in his preceding sentence, Daboub says the Credit Union is going to "monitor unusual activity on all affected accounts," and that's dandy. But if that's already happening, then why does the World Bank also need to "provide affected staff with free credit-monitoring service?" Could it be that Daboub is showing a lack of confidence in his own internal abilities to protect employees? Nonetheless, indeed.

And then we have his final display of underwhelming support for his employees, wherein he says (and in the internal memo, this sentence is highlighted in boldface type!), "All affected staff will by now have been notified by e-mail." I would think that an organization that exposes its employees' names and bank-account numbers on a public server owes those affected employees a lot more than an e-mail alert. It's a simple matter of demonstrating to your colleagues that you value who they are and what they do, rather than trying to just sweep a piddling distraction under the rug as quickly as possible.

While scrutinizing this memo is a bit like shooting fish in a barrel, the memo's language and the thinking expressed by that language deserves to be shot. World-class CIOs achieve their positions by being accountable, by being responsible, by being high achievers, and by being open, fair, and honest communicators. This memo aims for none of that, and serves as a model for the type of communication business executives should strive to avoid.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Get Your Enterprise Ready for 5G
Mary E. Shacklett, Mary E. Shacklett,  1/14/2020
Commentary
Modern App Dev: An Enterprise Guide
Cathleen Gagne, Managing Editor, InformationWeek,  1/5/2020
Slideshows
9 Ways to Improve IT and Operational Efficiencies in 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/2/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll