The World Bank (annual IT budget about $250 million) has been hit by a range of data breaches, at least one of which involved info belonging to staffers. So a corporate guy overseeing IT has sent a flaccid memo to the whole organization. Take a look at the memo and ask yourself if it will make World Bank employees feel better -- or want to quit.In a way, I feel a bit uncomfortable highlighting the impact of a data breach because in the past few years we've all seen the massive efforts organized crime, savvy individuals, and even ham-handed employees have made in trying to steal information from financial organizations. And when those hacks are successful, Lord knows there is more than enough blame to go around.
But this particular memo from the World Bank big shot, posted on the Web site of the Government Accountability Project, presents a level of detachment and arrogance that deserves to be called out. Look at the following excerpts from Managing Director Juan José Daboub's memo -- based on his message, does anybody out there think that Daboub was one of the World Bank employees whose information was exposed?
"Surveillance has also identified an inadvertent posting of confidential information on an externally accessible server by a Bank Staff member. The information included names and bank accounts for a number of staff members, but no other personal information.... The Credit Union has already taken precautions to monitor unusual activity on all affected accounts. Nonetheless, the WBG will provide affected staff with free credit-monitoring service, identify theft assistance, and other support.... All affected staff will by now have been notified by e-mail."
OK, so let's review: the exposed information includes names and bank-account numbers, but Daboub says that's OK because "no other personal information" was released -- well, heck, if that doesn't make you feel better, what will? Next, Daboub crows a bit in saying that the Credit Union is on the case with a promise to "monitor unusual activity on all affected accounts." Now, call me whiny, but isn't that a fairly common practice that any financial institution, let alone one affiliated with the esteemed World Bank, would have made a standard practice starting about 10 years ago?
And then Daboub, reaching once more into his deep bag of condescending remarks, says, "Nonetheless, the WBG will provide affected staff with free credit-monitoring service, identify theft assistance, and other support." You gotta love the word "Nonetheless" at the beginning of that sentence, where the real point of his message shows through: how much more do you sniveling little whiners expect us to do for you??
Plus, in his preceding sentence, Daboub says the Credit Union is going to "monitor unusual activity on all affected accounts," and that's dandy. But if that's already happening, then why does the World Bank also need to "provide affected staff with free credit-monitoring service?" Could it be that Daboub is showing a lack of confidence in his own internal abilities to protect employees? Nonetheless, indeed.
And then we have his final display of underwhelming support for his employees, wherein he says (and in the internal memo, this sentence is highlighted in boldface type!), "All affected staff will by now have been notified by e-mail." I would think that an organization that exposes its employees' names and bank-account numbers on a public server owes those affected employees a lot more than an e-mail alert. It's a simple matter of demonstrating to your colleagues that you value who they are and what they do, rather than trying to just sweep a piddling distraction under the rug as quickly as possible.
While scrutinizing this memo is a bit like shooting fish in a barrel, the memo's language and the thinking expressed by that language deserves to be shot. World-class CIOs achieve their positions by being accountable, by being responsible, by being high achievers, and by being open, fair, and honest communicators. This memo aims for none of that, and serves as a model for the type of communication business executives should strive to avoid.