Shell has been hit by a massive data breach - the contact database for 176,000 staff and contractors at the firm has been copied and forwarded to lobbyists and activists opposed to the company.
John Donovan, an activist who received the database, said he had voluntarily destroyed the files. But he warned that other copies were available online.
The email supposedly comes from 176 "concerned staff" to highlight Shell's activities in Nigeria. The database is about six months old and could have been released by a recently laid off staff member, or there could really be a rogue campaign group within Shell.
Richard Wiseman, chief ethics and compliance officer at Royal Dutch Shell, wrote to staff last week after the breach emerged.
He said: "The Global Address List, containing contact information of everyone in Shell and some contractors, joint ventures and other third parties, has been downloaded without authorisation and distributed to some external parties. We do not know who did this. We are investigating and are raising this theft of information with the relevant data protection authorities."
The company played down the security implications of the loss - it is phone and email details rather than real-world addresses.
But if hackers have got access to Shell's systems then they might have more mischief planned.
The Information Commissioner's Office has launched a consultation on its new auditing powers, due to come into effect April 2010. The powers will allow the ICO to investigate organisations which it believes are failing to properly protect private data. ®