I sure as hell would not want to be that member of admin with access to all that information.

On a point of order, when I was in IT I always instructed people *not* to tell me their password (usually before they blurted it out unprompted but not always). I don’t need it, and I absolutely don’t want it. I don’t want the finger of suspicion when you do something stupid tomorrow. If I need to monitor, say, Internet activity or emails then I’d do that serverside where access control is tightly controlled and readily visible.

The policy we had is that if something is done in your name, you’re culpable. Either you did it, or you were careless with your passwords and that’s still your fault. A management policy demanding passwords undermines that. I can only assume / hope that it’s born out of ignorance. If it were me in IT there I’d be asking why they felt they needed to do this and then if it was reasonable I’d give them what they needed in a proper, controlled fashion. “Password lists” are insane and there’s absolutely no justifiable reason to do it.

Yes, last two places, the IT dept (one was an external supplier) asked for passwords. I resisted, but was told to tell them. Just seemed totally wrong, but I wasn’t IT so had to do as was told.

I’d have refused, or given them a password and then changed it the next day.

In fact that’s just reminded me, years back my non-technical boss kept demanding the master domain admin password. After a bit of to-ing and fro-ing with me getting busted for giving him dummy passwords, I wound up creating a new Admin account and revoking the rights on the Administrator account to turn it into a regular user with ‘log on locally’ rights to the server. He was happy with that, he tested the login to see that it worked but didn’t actually try to do anything.

devash – Member

She knows she has enough info to whip up a world of legal pain for the director and firm but knows doing so will also mean she is unlikely to work in the profession again.

I’d say that she is due a very large payout from an employment tribunal for reputation damage. [/quote]

Nope – not a chance. Tribunals only award for financial losses and there is no grounds for going to a tribunal here

Well maybe if she is in a position that she ends up forced to resign ( constructive dismissal) and is able to show the reputational damage has cost her further employment.

However from what we know I don’t see this as a constructive dismissal at all

I think I would tell the director responsible that she needs to repair the damage to her reputation by sending a follow up email to the entire list stating it was not her who sent the email but someone else with access to her email and sod the bosses on that. If they sack her for that then a tribunal claim is much stronger.

Legal advice is a good step

Regarding logins and passwords in a business…. Has anyone (especially all you IT types that seem to lurk here) worked for an organisation where employees have been instructed to inform ‘admin’ of their new password(s) when they change it? I’ve taken advice from the IT bods where I work and they find it unfathomable. Yesterday (in light of what happened last week) all employees have been emailed and told to change their passwords but then email the new ones to a member of admin who with collate them and save them in a password protected file which only member of senior management can access. That sounds inept, paranoid and controlling and all kinds of wrong to me. And as stated above it would surely be almost impossible to pin malpractice on anyone as they could always claim that others had access to their accounts so it is unprovable. I sure as hell would not want to be that member of admin with access to all that information.

Managers who don’t understand IT are inevitably lost in the modern world. They likely haven’t demanded this because they MUST have it but because they haven’t understood the alternatives. Unfortunately success in IT isn’t always linked to your ability to communicate effectively with the business stakeholders and so the IT team are at least partly to blame. It sounds like the sort of thing that happens in SMEs where there isn’t a real it person just ‘bob’ who likes computers and who made something is ms access once and so fell into it.

…but knows doing so will also mean she is unlikely to work in the profession again. And non of it was her fault.

I don’t know which industry she is in, but many of the more sensitive ones are much more enthusiastic about whistleblowers and those who stand up for doing things right than they used to be. I’d be surprised if the industry was so small it closed all doors. However, before she goes saying “none of this is my fault”, I think there needs to be be a moment of reflection, it was forseable that security breaches will happen with the approach they were taking. Everyone has a duty to highlight security vulnerabilities which affect people’s personal data. If she works in a sector where she could really be expected to suffer huge reputational damage for this, I’d think having knowingly allowed this sort of account sharing to go on reflects badly too. Its difficult to know how much the “industry” would blame her, without knowing the industry or the size of the company.

Email admin a made up password…it will only be known when they try to use it again…

I don’t know which industry she is in, but many of the more sensitive ones are much more enthusiastic about whistleblowers and those who stand up for doing things right than they used to be. I’d be surprised if the industry was so small it closed all doors. However, before she goes saying “none of this is my fault”, I think there needs to be be a moment of reflection, it was forseable that security breaches will happen with the approach they were taking. Everyone has a duty to highlight security vulnerabilities which affect people’s personal data. If she works in a sector where she could really be expected to suffer huge reputational damage for this, I’d think having knowingly allowed this sort of account sharing to go on reflects badly too. Its difficult to know how much the “industry” would blame her, without knowing the industry or the size of the company.

You are absolutely right – I have been nagging her for a while about making a fuss but I’m far more bolshy at work and find confrontation less stressful. The issue is twofold however – there is the loss of reputation element but there is also the issue that the director is very well connected, indeed is regional chair of the professional body. It’s not unknown for her to ‘bad mouth’ in subtle and underhand ways. Leaving on very bad terms would have an impact irrespective if you were 100% in the right. It would be really messy. Ultimately employers would look to avoid a new employee with a ‘rumour’ to their name – it’s just not worth the hassle if you have another option.

FWIW one of my managers back in the dim and distant past (mid 90s) insisted on having access to all contractors accounts. Several of us refused. He threatened and blustered and swore. Until HR got involved.

Once they found out how long and how thoroughly he’d been doing it (he told them everything, thinking it was good, sensible management of contracting scum who can’t be trusted) he was demoted, moved to another role, in another department on a different site. That was quite a major US corporation.

The issue is twofold however – there is the loss of reputation element but there is also the issue that the director is very well connected, indeed is regional chair of the professional body. It’s not unknown for her to ‘bad mouth’ in subtle and underhand ways.

if there is anything concrete/traceable connecting the director to this sort of behaviour, they won’t be regional chair for very long after the whistle has been blown………

Yesterday (in light of what happened last week) all employees have been emailed and told to change their passwords but then email the new ones to a member of admin

Quite apart from being bad practice it’s hard to see why this would affect the likelihood of recurrence of the original problem. Is it a case of “we need to do something” and this is “something”? Odd behaviour if this is an industry where confidentiality is important.

What industry?

All in all this is a thoroughly disheartening thread.

Someone has done something stupid in a doubly stupid manner and the response is not to stop that ever happening again as a director will have complete power over the admin.

Get proper legal advice and then approach the company. If there is a regulatory body for the profession you may also consult them.

In the long run it might not be as serious as it seems to you/her right now. Granted, she has been shat on from a great height, but are the long term consequences as severe as you really think?

I work in a relatively niche career, so I know most people in the region who do what I do. I am on the local committee for my profession. People who are atrocious at their jobs, with a very poor reputation still somehow manage to keep employed. Your wife is probably well regarded in her region and professional circle, and there may be minimal long term consequences. Thats the optimistic hope, anyway.

Was this act really a doomsday occurrence? If she is a recruiter and all her address book has been exposed, then is this so bad? Everybody is on at least one recruiter’s address book somewhere. It doesn’t mean we are actively looking for a new job.

I don’t know enough about the specifics. But hopefully it’s not as all as bad as it seems right now.

Is there anything stopping her for sending out an email apologising, explaining that it was done her absence and without her knowledge / consent? I don’t see why she’d have to “whistle-blow” just to go “wasn’t me, guv.”

Yesterday (in light of what happened last week) all employees have been emailed and told to change their passwords but then email the new ones to a member of admin

Sounds like buck passing. They’re not acknowledging where the root cause was, they’re making it look like it was someone else in the organisation.

Sorry I’m late to the party. Is it likely that one of the many recipients happened to work at a place with decent HR and IT admin. Then such person went to speak to them saying ‘This seems odd and wrong, it looks like they are sharing my personal stuff’. And they chose to act. Should there be a Responsible Person in Mrs c’s work, to whom such complaints could be made? Head of data security, that sort of JD.

When the excrement hits the expelair, it would be nice if it landed at Board level.

Not suggesting that one of Mrs c’s more personal contacts might make a fuss.

In the long run it might not be as serious as it seems to you/her right now. Granted, she has been shat on from a great height, but are the long term consequences as severe as you really think?

It’s probably very difficult to keep everything in perspective and take a detached long term view, and obviously only your wife knows what her industry is like and how others in the industry and (potential/existing) clients might react if they learn what has happened, both the untrue version (she did it) and the truth.

I would be wary of acting too hastily, whether that be trying to force the company/director to tell all the email recipients that it was not her fault, or going along with any plan the company/director might have to placate clients without telling them the truth or even actively lying to the clients.

I suspect that her best approach may be to be patient and see how events play out, and respond to them accordingly only when they happen and when she can better see the lie of land as it were, rather than trying to force the issue which may be a high risk strategy for someone who is the more junior person in the organisation and industry.

Taking two extremes:

Firstly, this might prove to be a storm in a teacup which becames ancient history in a few years, with no lasting damage to the company, the director, or your wife. If so kicking up a fuss now may be counterproductive.

Secondly, if the incident is going to cause major reputational and commercial damage, it is likely to be something that will take a little while to build up to a crisis point, and in that event the longer it goes on the stronger your wife’s position and the weaker the director’s, for the simple reason that it was the director’s mistake.

Put crudely, if the whole thing can be easily and quickly glossed over by the company with no long term harm, the more likely it is that they will agree to cover up for their fellow director/part owner. It will probably only be if the stakes become so high that the future of the company (and the investment of the other part owners) is threatened, that those other owners would be prepared to publicly blame their fellow director, which would be a nuclear option, especially if it meant having to buy her out/pay her off, and might not be effective damage limitation if the company is fatally hurt by the incident anyway.

My advice would therefore be for your wife to play a waiting game for now and keep her options open. She probably needs to avoid being drawn into any cover up or fake explanation concocted by the company which would entail her telling lies to clients. At the same time for now she probably needs to avoid telling clients it was the director that did it. So she needs to very careful what she says to clients. In her shoes if a client complained to me about what had happened, I would have a prepared script, e.g. maybe something like, “I’m extremely sorry this has happened. I am not in a position to be able to say what happened, but I can tell you that I did not send that email, and was on holiday at the time. I can only apologise on behalf of the company“. The trick is to communicate this message confidently, and not to ‘protest too much’ to clients that it wasn’t her.

If clients complain directly to the directors/owners, and they threaten to blame your wife as part of a cover up, then I guess the gloves are off. Blaming your wife would be a high risk strategy for them, since it would leave them open not only probably to a case for constructive dismissal, but also defamation (destrying someone’s business repution by libel/slander would be an extremely expensive and damaging legal case for them to lose). If it gets to that stage, your wife will clearly need legal advice. Since the email went to your wife’s private email address, she is presumably in a position to (threaten to) email the clients and tell them the truth, although that is a nuclear option. It might well be that the best option would be if the company offered her a life changing sum in compensation with a gagging clause, to enable her to retire early or retrain. If she blows the whistle, the company might be destroyed by the fall out, and your wife’s career might still be harmed, but there would be no financial compensation.

If complaint is related to disclosure of personal information could your wife whistleblow anonymously or get someone on the list to report the breach to the Information Commisioners Office which then takes it out of the companies hands?

A likely outcome of this would be the company having to contact those on the list to explain the circumstances of the breach thus removing any perceived blame from your wife.

get someone on the list to report the breach to the Information Commisioners Office

I looked into this for a different reason recently. You have to report the issue to the originating organisation first, and if you are not satisfied with their response then you contact the ICO. Might not be a bad approach though.

^ Given how much a year I my company pays in ICO fees, please make them do some work.

Our IT Policy specifically prohibits the sharing of passwords and rightly so for user-specific accounts.

There is NO reason at all for someone else to know your password (assuming LDAP/Active Directory in place and nothing stupid is being done like using user accounts for things like SQL rights, service logons etc.). If you don’t have centralised accounts and for some reason can’t have multiple local accounts then use a generic account name so there’s no implied accountability for you.

As has been said if an administrator/manager needs to be able to logon as your account then they should be given rights to change your password, not your password itself. Auditing should also be in place to clear record the password change (and which account was used to make the password change).

If some crappy policy dictated I give my user account password to someone else then I would but I’d change it after and say I forgot (or made a typo in the email). Everyone sending their passwords via email is a joke in itself, email systems are one of the primary targets for anyone hacking into your network (and that could be a 5 minute phishing based attack not elite Russian hackers breaching your firewalls).

If someone needs to routinely access your mailbox for a legitimate reason then should should just be given rights to your mailbox (ideally not send on behalf of but at least even with that you can set up auditing easily enough to capture which account was used when the mailbox was accessed).

Can’t understand why do people allow places like these to get away with this kind of behaviour.
They probably forge your signature too “for convenience”.

ICO sounds a good bet.

Anyone see “Line of Duty” last night? “I need your username and password” Here it is on this Post It note! thanks!
I thought that was the most unrealistic part of a pretty far fetched storyline… apparently not!

Information Commisioners Office

I don’t think they would be at all concerned with a visible email “in copy” list, in fact they might well tell you to stop wasting their time.

If its a breech of data protection which on the surface it would be then they would be interested.
Effectively the company gave everyone on the list everyone’s email address. Thats a clear breach of data protection in my book. Also they email address might not have been given to the company for this purpose – another breach

You should anonymize this thread.

1. If the industry is “legal” then anonymize further.
2. Remove the bit about regional chair. Easily identifiable.

Yesterday (in light of what happened last week) all employees have been emailed and told to change their passwords but then email the new ones to a member of admin

Humm changing everyone’s password to one you know and preventing them from changing it would be bad.. but would be one approach.

Attempting to share mailboxes by asking people nicely for their passwords then hoping they will send the correct one seem pretty silly to me.

I’m the worlds worst (self appointed) email administrator and I’d not even do that 🙂

Incidentally,

Given the whataboutery of the importance of this “industry” she’s in, I’m guessing that they’re placed to legally require a Data Protection Officer. What do they have to say about the matter?

Effectively the company gave everyone on the list everyone’s email address. Thats a clear breach of data protection in my book

email address isn’t classed as sensitive data from a DPA perspective, so the ICO wouldn’t be that concerned

Also they email address might not have been given to the company for this purpose

I think the chances are that the email address was given for the purposes of email contact, which is exactly what it’s been used for. It doesn’t sound like a marketing mailing.

Judging by convert’s posts, the company sounds like a relatively small one, and the industry itself is not that large. Given that, to suggest whistleblowing or that convert’s wife should seek recourse under the Data Protection Act (or that she should encourage clients to do so) is naive.

That sort of approach might be appropriate for large corporations (but see the recent example of Barclays where the CEO tried to identify an anonymous whistleblower), it’s unlikely to be appropriate for a small business, unless in a heavily regulated industry where enforcement action could well result in someone being barred from the industry by the regulator or courts. In comparison to that any enforcement action under the Data Protection Act is likely to be trivial.

If convert’s wife is in something like the recruitment industry, then this is going to be fundamentally a matter of professional reputation and its commercial impact on the business and on the career of convert’s wife. Her problem is that the person who sent the email using her email address is a director and part owner with a lot of influence in the industry. That means convert’s wife is in a very weak position, and the only thing in her favour is that she was not responsible for the mistake.

Does she work for an administrators? 😀

Seems that the folks managing the Trans Savoie administration had a bit of a friday afternoon moment and CC’d all the creditors at once (then issued 4 recalls) *oops*

I’m desperately resisting the urge to reply to all 😀

They probably forge your signature too “for convenience”.

I have our Director’s signatures as PNGs, handy if I need to knock up a letter of invite etc for someone and no one is about..

Any update on this? I am curious as to how it turned out and what the legal implications are

I have our Director’s signatures as PNGs, handy if I need to knock up a letter of invite etc for someone and no one is about..

I got asked by one of our admins if I had an electronic signature.

What she mean was ‘did I have a scanned .tif of my signature’.

Not quite the same thing…

I have our Director’s signatures as PNGs, handy if I need to knock up a letter of invite etc for someone and no one is about..

Pretty modern solution if you have PNGs. I have to admit that I actually wrote code to automate a factorys orders to suppliers via fax back in the 90’s. The system used signatures from BMP files 🙂
Still the situation described by OP sounds quite nasty, almost Trumpian.

Pretty modern stupid solution if you have PNGs.

FTFY.

“Back in my days we only had ones and zeroes to program with, these days the youth have PNGs and everything…”

Any update on this? I am curious as to how it turned out and what the legal implications are

Not good.

All the right people were informed (by the company owner) so the legal and compliance side all good. However director continued to lie about what happened through the investigation and ‘manipulated’ the apologies to effected people to cover her own involvement and allow enough grey to imply Mrs Cs guilt.

Relationship broke down – essentially this woman is a bully and couldn’t stand being challenged. This was only one of a number of issues with her but it’s fair to say sociopath and compulsive liar are phrases Mrs C would use to describe her. She went in today and resigned (to the owner not the director, siting the director’s lack of morals and professionalism and attempted bullying after the incident as her reasons for leaving). Resignation accepted and she was home by midday with the director shouting insults at her across the open office as she left the building. Since getting home she has had a volley of messages from other employees wishing her well and how much they would not been have able to work with the woman in the way Mrs C had to.

Probably good grounds for constructive dismissal – I’m no lawyer but she might explore that when the dust has settled. Just glad she is home and out of that toxic environment. We’ll worry about rebuilding her career once she has had time to lick her wounds and if nothing else she’ll get to enjoy the summer whilst looking for a job. Some things are more important than money.

Ta for the update

Seems to me like a possible constructive dismissal – far closer to it than the usual examples on here. I wouldn’t let the dust settle too long and I would get legal advice on this

I think I would threaten constructive dismissal and look for a payoff in exchange for silence.

Sounds awful.