Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Sent sensitive email to personal address
Options
-
31-05-2020 12:20pm#1I messed up at work. This was yesterday afternoon.
In my job I have access to salary information. I've been in the job 4 months (3.5 years in the company) and it's been intense, but i did about 55 hours overtime in the last 2 mths and I feel I'm on top of it. I have some time off this month when I hope to switch off as i am struggling a bit.
Recently someone who reports to me has been insinuating that I've been bullying her. Nothing formal yet, although she has been speaking to my manager and my manager is aware.
I couldn't relax, and ended up logging in yesterday (saturday) and spent the morning making notes on these incidents which i emailed to my manager and forwarded to my personal email. I also asked my manager could i use some of my hours worked as time in lieu in the coming weeks in addition to a week's AL i already booked.
I drafted a few emails in response to general queries, but did not send them, given it's the weekend.
After i that i cleared up a few payroll queries the auditor had forwarded relating to 2019. (I'm not responsible for overseeing payroll at the moment, but i am respobsible for variance analysis and booking to the accounts)
Last month when i was working on the April 2020 wages, i noticed the ceo did not have his salary reduced to 2019 levels following a paycut imposed on the rest of the staff. I figured his contract was more complex than pay increments and salary bands, and the fact the increase was processed the month before that of staff, but I meant to confirm this with my manager. I'm on high alert about these kind of things because i noticed many mistakes and this one would be high profile given the individual involved.
I decided to check May's payroll but it had not been sent to me. I did a quick working in excel to validate jan to apr figures. I took a screenshot of his jan and apr payslips and pasted to excel too. The file i created was too sensitive to send to my manager by email, and leaving it on the network drive with no explanation wouldnt be any better. I left it on my desktop as "book1" even though i probably should have deleted it as the query was simple and didnt require an analysis now that i confirmed the same amount was paid each month (jan backdated in feb, then mar at the new rate, and apr still at the new rate - the amount i was querying)
I was about to log out for the day but before i did, i decided to take the log of all my extra hours, attached it in outlook and sent it to my personal email with no subject. Why? I don't have a good reason other than if things went south I'd have the record.
I also had the email open called "letter to all staff re pay", and figured there wouild be no harm sending it to my personal email too. Both related to my contract.
Well... You can guess what happens next. I opened my personal email and realised i had sent myself the analysis of the senior manager's pay book1.xlsx (rather than Log.xlsx) including payslips-no password , followed immediately by a communication about the paycut. Without a password it's just plain text containing his name and the word "salary"
This was all after sending the "cover my ass" email earlier in the day, which i thought was harmless at the time.
It really is damning. It looks like i prepared an arsenal for blackmail or whistleblowing.
I deleted the salary info from my email, as well outlook and my desktop.
It's a big company with microsoft office 365 and in my view there is no way either email won't be flagged to data protection officer or IT.
My explanation sounds like a shaggy dog. Too much went wrong.
Obviously leaving the country isn't an option (joking)
But what should i do?
Hope data protection and IT are snoozing and have not set up or are not reading their reports? Act ignorant when a big investigation is going on behind my back?
Or come clean, tell my manager i prepared salary details she had no idea i was investigating, that i attached it by mistake instead of a log of hours i worked, and deleted it straight after? The slightest investigation will show the salary freeze email 4 minutes later and other similar emails.
I'm sick with worry. Just, if you're offering me advice be kind, and steer clear of saying i should whistleblow. The person I'm talking about is very decent and not on a fatcat salary.
I know the work made me a bit miserable lately, but i feel I've worked so hard to get on top of it and the 2 weeks off will sort me out. From this point on it should be a regular 9 to 5.
Can't believe i did this.3
Comments
-
First off OP, never even consider sending any work related data to you private email again. At best it may lead to you being dismissed, at worst your employer could (rightly) pursue you legally. I am in no way condoning taking any work related information out of the company, but if you really are going to do that then use a different medium rather than emailing it, especially to your own private email address!
I also would strongly advise keeping your nose out of your CEO's pay etc. unless such tasks fall specifically under your role within the company. If you get involved just for the sake of getting involved, then there really will be not a lot for you gain out of this, and quite a lot to lose.
Coming to what you should now do, I think that your options are pretty limited. If you own up to sending any information out of the company to a private email address, then you could very likely be in big trouble anyway. I think if I was you I would just take my chances and say nothing at all.0 -
The only thing to do here is come clean and admit your error to your manager. If you don't it will be much worse. It sounds like you are under a lot of pressure in work given that you felt the need to log into work emails on your day off. I think taking TOIL is a good idea.0
-
Well you don't need us to tell you that you have stuffed up big time.
One the reasons you don't send confidential data to your own email address is because it is not point to point, the data is stored on provider servers etc... and even when you delete it does not mean it is gone, because there are log files and backup as well and of course memory dumps if a server crashes.
So yo need to take action immediately - follow the GDPR procedures set out by your company, most likely inform your manager ASAP. Unfortunately, the managers involved will also have to be informed as this could comeback on them later of if information was disclosed by your email provider etc...0 -
most companies would have red flags for this sort of thing. You could absolutely loose your job. I would think coming clean is the only option.0
-
There is an option in Office 365 to recall the email. You could be lucky and nobody will have read it given its a bank holiday weekend and there’s a lower chance of people loggin in and catching any flags?
Message - Actions - Recall this message0 -
Advertisement
-
Dublinstiof113610935 wrote:There is an option in Office 365 to recall the email. You could be lucky and nobody will have read it given its a bank holiday weekend and there’s a lower chance of people loggin in and catching any flags?
Message - Actions - Recall this message
Think op has deleted the email so there may be no option to recall.0 -
Your going to have to come clean on this.
Doing that you “may” get away with a discipline but not termination because you brought it to their attention.
If you sit back and say nothing and it gets flagged it seriously looks like you were accessing and taking data your not supposed to be accessing and that would be gross misconduct and deserving of termination.
The termination thing may happen anyway now no matter what but I’d be out there trying to fess up and minimise then impact here.
Waiting and hoping that nobody finds this is bad advice, it will be hanging over you like a sharpened axe.0 -
Will ye STOP!
The OP did silly things, but will not/cannot be terminated. They are in their job too long for that. There is a disciplinary process that would need to be followed.
However, depending on their contract they may be still on probation in their new role, and may lose THAT particular role, depending. But, the company would need to keep them on.
The only advice that can be given is to own up.
However, in reality would I bring this mistake to HR... I'd think twice about it.0 -
Deleted User wrote: »Will ye STOP!
The OP did silly things, but will not/cannot be terminated. They are in their job too long for that. There is a disciplinary process that would need to be followed.
However, depending on their contract they may be still on probation in their new role, and may lose THAT particular role, depending. But, the company would need to keep them on.
The only advice that can be given is to own up.
However, in reality would I bring this mistake to HR... I'd think twice about it.
Accessing and stealing the CEO’s pay data is indeed gross misconduct and in many companies would lead to termination. If OP tries to bury this that’s how it’s going to look.0 -
Accessing and stealing the CEO’s pay data is indeed gross misconduct and in many companies would lead to termination. If OP tries to bury this that’s how it’s going to look.
And the company will be getting an invite to the WRC.
I don't know any company with a passing knowledge of HR that would fire someone over sending other employed information to theitlr private email. Its a disciplinary matter for sure, but no way close to being a termination offence.0 -
Advertisement
-
You didn't send a payslip from whatever accounting software is used correct? You took a screenshot of it and sent that, noone will know about it, nothing in the email will flag. Delete and move on.0
-
Say nothing. I doubt IT will pick up on this - and I say this as someone responsible for data protection in my job0
-
Similar to the above, I'd say nothing. It's a calculated risk obviously. But if you own up I think you are done in the current place anyway. This on top of the bullying allegation. As much as I admire honesty, I'd find it almost impossible to out any trust in you.
It is possible you might legally avoid a sacking but you can kiss your career prospects in the place goodbye.0 -
Dublinstiofán wrote: »There is an option in Office 365 to recall the email. You could be lucky and nobody will have read it given its a bank holiday weekend and there’s a lower chance of people loggin in and catching any flags?
Message - Actions - Recall this message
It does not matter, recalling an email does not mean it was not published outside the firm as it will remain on provider servers, backup set etc... You still need to report the matter. And there is always the chance it will get passed on if it refers to the CEO of an MNC.0 -
So how DLP (Data loss protection) generally works it looks for keywords, metadata or phrases in files.
Saying that you created a .xls and sent it to yourself is very unlikely to flag anything unless there is a requirement of data classification at creation time.
I have worked in many 100k plus employee organisations and would have a good overview of different DLP packages. They are all very simple and it is unlikely to flag based on what you are doing.
As for O365, DLP here is poor also. It's normally down to a person pulling loads of files off sharepoint and copying them locally etc types of things that you look for.
So unless you have a phrase like your company name strictly confidential in the document it is unlikely to raise eyebrows.
These indicators normally have to be pretty solid. Like you get a hit for someone send them internal financial report that has one of these phrases to their external mail and then this kind of gives cause to dig deeper.
You are not the only person who have ever send internal stuff out by mistake. DLP people needs to catch the people where it is not an accident. If your CEO is Irish based there is no way that your company has the level of security to detect what you state above.
One of the companies I worked for is a US defence contractor with US government contracts. They have a IT security budget that would make your eyes water and they would probably not detect the above on it's own as it's an excel you created and not something that you downloaded etc.
Bear in mind that they are not going to say, he was good enough to own up to it and move on. An investigation will be carried out. Depending on the size of the security team an image of your laptop could be take and examined if you did anything else. All email/phone/web history archives could be searched etc.
Funny one I worked for a large IT Security company a few years ago. 1000s of employees. Got an email from payroll that to view our payslip we go to website www.mypaysliporsomething.ie
So off I go, to login it was my email address and password was employee ID.
So I go to payroll wtf? She goes I don't see the problem as your employee ID is private.
I had to open up a browser of the Active Directory that everyone could use to show her own one.
So then they get IT to block the site ( from internal to external ) so if I had wanted to I could have logged in externally and check everyone payslip. I also told them this is beyond a joke and the access needs to blocked until it is fixed.
I go I have changed my password and the payroll person goes no don't do that. I say why. Because I can't login in then to check your payslip. At this stage I am hitting my head against the wall. She still works there so really I think on the level of f up. Yes this is big but highlighting it will go very very bad for you.0 -
It does not matter, recalling an email does not mean it was not published outside the firm as it will remain on provider servers, backup set etc... You still need to report the matter. And there is always the chance it will get passed on if it refers to the CEO of an MNC.
You can only recall mails sent to internal users who have not read it. If you sent it to gmail you can't recall it.0 -
I have been under enormous pressure.. Pressure i put myself under, but also there's no turning to someome next to you to ask a quick question.
There is absolutely strong DLP as it's a separate function to IT, and the working i did contained text and weren't password protected.
There's more to it.
Im finding the lockdown tough and i havent been able to take AL.
I was off Friday but logged in thursday night to prepare an email to my manager saying i wasnt happy with how i was treated by a staff member, which i was going to send at a reasonable time friday morning.
Friday morning i logged in to send them email and ended up replying to a few more.
Friday night i started into a query at 10pm and worked til 2am.
Saturday morning i work at 6am and finushed the query.. I went from feeling overwhelmed to a bit manic.
At 10am i was happy to have finished. I joked before with my brother that i was a functional alcoholic when he noticed i always drank after a stressful day.
Well, guess im not functional anymore.
Shortly after 10 i opened a can. I had a bunch of cans for gardening..
I turned the laptop back on and did a bit more work. Then i sent an email, while drinking, lack of sleep in a somewhat manic state... It wasnt a terrible email but it was too long. Basically last month files were so late, i knew if the same happened this month it would clash with my planned leave.
Well a few cans later and that salary issue was on my mind. I said I'd check it on tuesday. But then i said, it'll take me 20 mins. I was thinking, im on the vpn at this hour..
It was nearing 2.30pm and i was determined to log out.
I was pissed. I said, right, save this, I'll email that later, I'll leave my workings on the desktop.. I'd like to say it was simply a case of attaching the wrong file. And i sent it. And i thought, well accidents happen, no one will notice.
My sister sent me a message and i barely read it, i just replied to say i had been finishing up work stuff so i could enjoy the rest of my weekend. I was actually satisfied with my day's "work".
I had no more cans and poured a whiskey in a large 60ml shot glass id been using as a measure. I took a photo and sent it to my brother. 3pm. I sent another message to ssy i wasnt drinking yet.
I went to the sofa in the attic and slept til 8.
Woke up.
Got the laptop. Deleted sent items. Turned it off. Turned it on. Deleted the file from the desktop. Turned it off.
Slept til 7am on sunday.
Spent all morning thinking every conversation i could have.. Weighed up the risks of coming clean vs the chance it won't be flagged.
My mother invited me for dinner. I ate. I lay on a bench outside and slept. She asked me was work ok.
After a few hours i said i was going home for a walk. I went home to bed.
Bank holiday monday morning, i did some meditation, as best i could. All i kept thinking about were spreadsheets and deadlines and conversatioms about that email.
And then i thought..
If i spend a few hours now on those audit queries it will take some pressure off me next week.
That's when i realised i lost it.
I stayed in bed until 12.30, my mother invited me out again..
I sat there looking at her and dad, really unable to believe i was hardly acknowledging either of them or any of my friends since the lockdown started.
I was a lot more relaxed.
I went home and all evening put on spotify meditation playlists, breathing exercises.. Im feeling better.
I didnt drink since Saturday.
I'm not going to mention anything at work.
I'm going to phone the doctor today and see about antidepressants until i get through this. I'll try to arrange counseling over the phone.
I'll phome my manager and let her know that Im on top of my work but I've been finding it hard to switch off and if we could delay anything important or until after my leave.
Thanks for reading.0 -
Soimessedup wrote: »I have been under enormous pressure.. Pressure i put myself under, but also there's no turning to someome next to you to ask a quick question.
There is absolutely strong DLP as it's a separate function to IT, and the working i did contained text and weren't password protected.
There's more to it.
Im finding the lockdown tough and i havent been able to take AL.
I was off Friday but logged in thursday night to prepare an email to my manager saying i wasnt happy with how i was treated by a staff member, which i was going to send at a reasonable time friday morning.
Friday morning i logged in to send them email and ended up replying to a few more.
Friday night i started into a query at 10pm and worked til 2am.
Saturday morning i work at 6am and finushed the query.. I went from feeling overwhelmed to a bit manic.
At 10am i was happy to have finished. I joked before with my brother that i was a functional alcoholic when he noticed i always drank after a stressful day.
Well, guess im not functional anymore.
Shortly after 10 i opened a can. I had a bunch of cans for gardening..
I turned the laptop back on and did a bit more work. Then i sent an email, while drinking, lack of sleep in a somewhat manic state... It wasnt a terrible email but it was too long. Basically last month files were so late, i knew if the same happened this month it would clash with my planned leave.
Well a few cans later and that salary issue was on my mind. I said I'd check it on tuesday. But then i said, it'll take me 20 mins. I was thinking, im on the vpn at this hour..
It was nearing 2.30pm and i was determined to log out.
I was pissed. I said, right, save this, I'll email that later, I'll leave my workings on the desktop.. I'd like to say it was simply a case of attaching the wrong file. And i sent it. And i thought, well accidents happen, no one will notice.
My sister sent me a message and i barely read it, i just replied to say i had been finishing up work stuff so i could enjoy the rest of my weekend. I was actually satisfied with my day's "work".
I had no more cans and poured a whiskey in a large 60ml shot glass id been using as a measure. I took a photo and sent it to my brother. 3pm. I sent another message to ssy i wasnt drinking yet.
I went to the sofa in the attic and slept til 8.
Woke up.
Got the laptop. Deleted sent items. Turned it off. Turned it on. Deleted the file from the desktop. Turned it off.
Slept til 7am on sunday.
Spent all morning thinking every conversation i could have.. Weighed up the risks of coming clean vs the chance it won't be flagged.
My mother invited me for dinner. I ate. I lay on a bench outside and slept. She asked me was work ok.
After a few hours i said i was going home for a walk. I went home to bed.
Bank holiday monday morning, i did some meditation, as best i could. All i kept thinking about were spreadsheets and deadlines and conversatioms about that email.
And then i thought..
If i spend a few hours now on those audit queries it will take some pressure off me next week.
That's when i realised i lost it.
I stayed in bed until 12.30, my mother invited me out again..
I sat there looking at her and dad, really unable to believe i was hardly acknowledging either of them or any of my friends since the lockdown started.
I was a lot more relaxed.
I went home and all evening put on spotify meditation playlists, breathing exercises.. Im feeling better.
I didnt drink since Saturday.
I'm not going to mention anything at work.
I'm going to phone the doctor today and see about antidepressants until i get through this. I'll try to arrange counseling over the phone.
I'll phome my manager and let her know that Im on top of my work but I've been finding it hard to switch off and if we could delay anything important or until after my leave.
Thanks for reading.
I can't offer too much in specific advise but as someone else mentioned this will very unlikely get picked up by anyone internally so try not to get too worked up over it.
You need to look after yourself and you are the priority and not your job. It is easier said than done but there really is very little in work that can't wait until 'the next day' and I have been on both sides (having the deliverable and also waiting on someone to deliver.
About 10years ago I went through a 6 week period where I didn't have a single day off and worked on average 16hours a day, often times working until 6am and having my Garda friend collecting me when he was finished a night shift. It's only looking back on it that I realise that while the work absolutely needed to get done that (i) I should have been asking for additional support and (ii) the world wouldn't end if I didn't make the deadline
Great that you are going to seek professional help for your own personal situation but also sounds like you may need to speak to your manager to (a) take some time off and (b) how to sort your workload in terms of either prioritising to remove some of the pressure or request additional resources if required.
There is not going to be fixed with a flick of a switch but please make sure you are talking to someone as that pent up pressure and stress along with the drinking and the lockdown is really going to take its toll.0 -
OP, you need to close the laptop at quitting time and leave it closed. Your work won't thank you for burning out.0
-
Ive worked in IT, IT security and all sorts of roles in big companies. Never, ever have I heard of anyone getting flagged automatically for sending mails to personal addresses. Millions of mails are sent to millions of addresses. noone scans them.
Have you any idea how much work it would take for an IT guy to chase this up? aint nobody got time for that.
This is over stress anxiety saying mad stuff thats not real.
never get involved with CEO stuff, ever, ever ever. get rid of it all, you never saw anything.0 -
Advertisement
-
OP, I do not need to be unnecessarily blunt, but it seems to me that there are a whole load of issues in play here rather than work email.
Perhaps open a thread in 'Personal Issues'.
All the best.0 -
Don't fret about the email but don't be sending anything to your personal email account in future.
Take some time off and relax0 -
Wabbit Ears wrote: »Ive worked in IT, IT security and all sorts of roles in big companies. Never, ever have I heard of anyone getting flagged automatically for sending mails to personal addresses. Millions of mails are sent to millions of addresses. noone scans them.
It actually does not take much time because it is automated, we use algorithms that detect the closes of out going addresses to valid client email and staff addresses, we also misuse the frequency of emails to such addresses and the types of mails being send.
And with GDPR it is a growing market. Both in terms of avoiding screw up and catching people who are stealing data.0 -
It actually does not take much time because it is automated, we use algorithms that detect the closes of out going addresses to valid client email and staff addresses, we also misuse the frequency of emails to such addresses and the types of mails being send.
And with GDPR it is a growing market. Both in terms of avoiding screw up and catching people who are stealing data.
The Americanization of companies here is a cancer. In ireland we are supposed to be more civil and understanding about the lines between professional and personal.
This type of surveilance is generally not allowed in Ireland as it falls short of guidelines on necessary, legitimate and proportionate
Is the monitoring necessary, legitimate and proportionate?
If your employer wants to monitor your internet use or your emails, it must be:
Necessary – your employer must be sure that monitoring is necessary and should consider less intrusive ways of supervising you before deciding on monitoring. For example, blocking websites would be less intrusive - and generally more acceptable - than monitoring internet search history.
Legitimate – the monitoring should have a legal basis, for example, to ensure that employees are not using the internet to download pornography, or to disclose confidential company information to people outside the organisation.
Proportionate – your employer’s monitoring must be proportionate to the risk of the perceived threat happening. Monitoring all of your emails to ensure that you are not passing on confidential information about the company would not be proportionate. However, monitoring your emails using an automated system to scan for viruses would probably considered be proportionate.0 -
Wabbit Ears wrote: »The Americanization of companies here is a cancer. In ireland we are supposed to be more civil and understanding about the lines between professional and personal.
This type of surveilance is generally not allowed in Ireland as it falls short of guidelines on necessary, legitimate and proportionate
Is the monitoring necessary, legitimate and proportionate?
If your employer wants to monitor your internet use or your emails, it must be:
Necessary – your employer must be sure that monitoring is necessary and should consider less intrusive ways of supervising you before deciding on monitoring. For example, blocking websites would be less intrusive - and generally more acceptable - than monitoring internet search history.
Legitimate – the monitoring should have a legal basis, for example, to ensure that employees are not using the internet to download pornography, or to disclose confidential company information to people outside the organisation.
Proportionate – your employer’s monitoring must be proportionate to the risk of the perceived threat happening. Monitoring all of your emails to ensure that you are not passing on confidential information about the company would not be proportionate. However, monitoring your emails using an automated system to scan for viruses would probably considered be proportionate.
In fairness in this case the OP downloaded sensitive data relating to the CEO of the company and sent that off site to a non secure email address without permission and as far as the company knows could be for any number of suspicious reasons.
That probably justifies all three criteria you listed above to be implemented.0 -
In fairness in this case the OP downloaded sensitive data relating to the CEO of the company and sent that off site to a non secure email address without permission and as far as the company knows could be for any number of suspicious reasons.
That probably justifies all three criteria you listed above to be implemented.
Her doing that would be the exception rather than the norm, Most people don't do the stuff she did.0 -
Wabbit Ears wrote: »Her doing that would be the exception rather than the norm, Most people don't do the stuff she did.
Only one way to know.0 -
As some have already mentioned, I'd be surprised if it got flagged. The name and file type aren't suspicious. The security guys would have to be opening up and reading every email and file in the company to get to you.
But if you're really concerned you could let your manager know. They already trust you with this sensitive data, so they should trust that it was an honest mistake (emphasis on should as I don't know the people or the culture in your company).0 -
Three days since the last post, OP.
Don't drink while logged in remotely.
Take some time off asap.
Good luck.0 -
Advertisement
-
You have some faith in your IT
0
![[Deleted User]](/applications/dashboard/design/images/defaulticon.png)
Advertisement