Mixing
Does my employer have the right to phishing a personal account for security purposes? [closed]
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
2
down vote
favorite
A few days ago I received a LinkedIn invitation email from some other employee of the company. I clicked the email link to check this person LinkedIn profile, I logged in with my personal account into LinkedIn and, voilà, it turned out it was a phishing test from my company to test how prone employees were to phishing attacks.
I did not check the URL domain of the link, thing that I do most of the time, but that email totally caught me by surprise.
There are several things that should be changed on this test:
- My employer -that hired the services of a 3rd party company similar to PishMe- effectively hacked a personal account that had nothing to do with the company account. They extracted me the email address and password associated with my LinkedIn account.
Both my employer and the 3rd party company store the email and password typed in the fake LinkedIn log in form.The form does not send the information anywhere. However this is not written and I only found out after inspecting the HTML form and JavaScript.- At no moment of this test the victim is advised to immediately reset the password (in case credentials are stolen). They do not tell you either that the credentials captured are actually not sent and the form does not work. Other basic security prevention measures like checking the domain in URL link are never suggested. This puts in doubt the educational and awareness raise purpose of these tests.
The fake LinkedIn form did not use HTTPS connection. Credentials were sent to the outsourced phishing test company in bare plain text.See bulletpoint 2.- Does LinkedIn authorise the use of its image and trust for such kind of tests?
This test is a factual successful phishing attack were personal credentials not related with the company are leaked to 3rd parties. Is this legal even when it has a paradoxical security purpose?
Edit: my LinkedIn account had an unique password (different to other personal accounts) and was not associated with any other external service or account. I changed LinkedIn password straight away once the phishing message was shown.
Edit 2: (1) my concern is not about the test itself but about the liberties they have taken to carry it out. I do not want a company to test CORPORATE phishing awareness with PERSONAL accounts to the point they effectively stole my credentials. (2) They do store email and password typed. The phishing company sells this fact as an amazing feature of its phishing platform. See bulletpoint 2. The phishing company only stores the times and the corporate user who accessed the form.
linkedin security privacy
asked Apr 25 '16 at 18:25
DunCat
1948
closed as off-topic by gnat, IDrinkandIKnowThings, David K, user52889, NotMe Apr 25 '16 at 20:53
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – gnat, IDrinkandIKnowThings, David K, NotMe
 |Â
show 5 more comments
up vote
2
down vote
favorite
A few days ago I received a LinkedIn invitation email from some other employee of the company. I clicked the email link to check this person LinkedIn profile, I logged in with my personal account into LinkedIn and, voilà, it turned out it was a phishing test from my company to test how prone employees were to phishing attacks.
I did not check the URL domain of the link, thing that I do most of the time, but that email totally caught me by surprise.
There are several things that should be changed on this test:
- My employer -that hired the services of a 3rd party company similar to PishMe- effectively hacked a personal account that had nothing to do with the company account. They extracted me the email address and password associated with my LinkedIn account.
Both my employer and the 3rd party company store the email and password typed in the fake LinkedIn log in form.The form does not send the information anywhere. However this is not written and I only found out after inspecting the HTML form and JavaScript.- At no moment of this test the victim is advised to immediately reset the password (in case credentials are stolen). They do not tell you either that the credentials captured are actually not sent and the form does not work. Other basic security prevention measures like checking the domain in URL link are never suggested. This puts in doubt the educational and awareness raise purpose of these tests.
The fake LinkedIn form did not use HTTPS connection. Credentials were sent to the outsourced phishing test company in bare plain text.See bulletpoint 2.- Does LinkedIn authorise the use of its image and trust for such kind of tests?
This test is a factual successful phishing attack were personal credentials not related with the company are leaked to 3rd parties. Is this legal even when it has a paradoxical security purpose?
Edit: my LinkedIn account had an unique password (different to other personal accounts) and was not associated with any other external service or account. I changed LinkedIn password straight away once the phishing message was shown.
Edit 2: (1) my concern is not about the test itself but about the liberties they have taken to carry it out. I do not want a company to test CORPORATE phishing awareness with PERSONAL accounts to the point they effectively stole my credentials. (2) They do store email and password typed. The phishing company sells this fact as an amazing feature of its phishing platform. See bulletpoint 2. The phishing company only stores the times and the corporate user who accessed the form.
linkedin security privacy
asked Apr 25 '16 at 18:25
DunCat
1948
closed as off-topic by gnat, IDrinkandIKnowThings, David K, user52889, NotMe Apr 25 '16 at 20:53
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – gnat, IDrinkandIKnowThings, David K, NotMe
24
You are paradoxically mad that they are poorly caring for the data that you carelessly gave away?
– Myles
Apr 25 '16 at 18:39
4
@AxeEffect: don't forget many people use the same password for their linkedin account and for their work related accounts. This phishing test makes a lot of sense from a security point of view.
– Étienne
Apr 25 '16 at 19:15
18
"The fake LinkedIn form did not use HTTPS connection. Credentials were sent to the outsourced phishing test company in bare plain text." - You know this much about how (un)sophisticated it is yet you still clicked it and provided your credentials? And now you're angry? This is insane. I would just change your password and in the future not click things.
– Dan
Apr 25 '16 at 19:25
3
Are you certain that your credentials were sent somewhere? Usually this test throws away what you entered in the form and after you hit submit takes you to a page that says something like "If we had been the bad guys your credentials would have been exposed." Unless of course, you were just successfully phished and the company wasn't running a test at all.
– ColleenV
Apr 25 '16 at 19:57
4
You got caught doing exactly what they were testing for. Now you're mad. At what? That you're that bad with password management, or that they know you're that bad with password management? Change your LinkedIn password and contemplate your performance. No one forced you to be careless. I'd bet the invitation came through your work email to begin with.
– Wesley Long
Apr 25 '16 at 21:02
 |Â
show 5 more comments
up vote
2
down vote
favorite
up vote
2
down vote
favorite
A few days ago I received a LinkedIn invitation email from some other employee of the company. I clicked the email link to check this person LinkedIn profile, I logged in with my personal account into LinkedIn and, voilà, it turned out it was a phishing test from my company to test how prone employees were to phishing attacks.
I did not check the URL domain of the link, thing that I do most of the time, but that email totally caught me by surprise.
There are several things that should be changed on this test:
- My employer -that hired the services of a 3rd party company similar to PishMe- effectively hacked a personal account that had nothing to do with the company account. They extracted me the email address and password associated with my LinkedIn account.
Both my employer and the 3rd party company store the email and password typed in the fake LinkedIn log in form.The form does not send the information anywhere. However this is not written and I only found out after inspecting the HTML form and JavaScript.- At no moment of this test the victim is advised to immediately reset the password (in case credentials are stolen). They do not tell you either that the credentials captured are actually not sent and the form does not work. Other basic security prevention measures like checking the domain in URL link are never suggested. This puts in doubt the educational and awareness raise purpose of these tests.
The fake LinkedIn form did not use HTTPS connection. Credentials were sent to the outsourced phishing test company in bare plain text.See bulletpoint 2.- Does LinkedIn authorise the use of its image and trust for such kind of tests?
This test is a factual successful phishing attack were personal credentials not related with the company are leaked to 3rd parties. Is this legal even when it has a paradoxical security purpose?
Edit: my LinkedIn account had an unique password (different to other personal accounts) and was not associated with any other external service or account. I changed LinkedIn password straight away once the phishing message was shown.
Edit 2: (1) my concern is not about the test itself but about the liberties they have taken to carry it out. I do not want a company to test CORPORATE phishing awareness with PERSONAL accounts to the point they effectively stole my credentials. (2) They do store email and password typed. The phishing company sells this fact as an amazing feature of its phishing platform. See bulletpoint 2. The phishing company only stores the times and the corporate user who accessed the form.
linkedin security privacy
asked Apr 25 '16 at 18:25
DunCat
1948
A few days ago I received a LinkedIn invitation email from some other employee of the company. I clicked the email link to check this person LinkedIn profile, I logged in with my personal account into LinkedIn and, voilà, it turned out it was a phishing test from my company to test how prone employees were to phishing attacks.
I did not check the URL domain of the link, thing that I do most of the time, but that email totally caught me by surprise.
There are several things that should be changed on this test:
- My employer -that hired the services of a 3rd party company similar to PishMe- effectively hacked a personal account that had nothing to do with the company account. They extracted me the email address and password associated with my LinkedIn account.
Both my employer and the 3rd party company store the email and password typed in the fake LinkedIn log in form.The form does not send the information anywhere. However this is not written and I only found out after inspecting the HTML form and JavaScript.- At no moment of this test the victim is advised to immediately reset the password (in case credentials are stolen). They do not tell you either that the credentials captured are actually not sent and the form does not work. Other basic security prevention measures like checking the domain in URL link are never suggested. This puts in doubt the educational and awareness raise purpose of these tests.
The fake LinkedIn form did not use HTTPS connection. Credentials were sent to the outsourced phishing test company in bare plain text.See bulletpoint 2.- Does LinkedIn authorise the use of its image and trust for such kind of tests?
This test is a factual successful phishing attack were personal credentials not related with the company are leaked to 3rd parties. Is this legal even when it has a paradoxical security purpose?
Edit: my LinkedIn account had an unique password (different to other personal accounts) and was not associated with any other external service or account. I changed LinkedIn password straight away once the phishing message was shown.
Edit 2: (1) my concern is not about the test itself but about the liberties they have taken to carry it out. I do not want a company to test CORPORATE phishing awareness with PERSONAL accounts to the point they effectively stole my credentials. (2) They do store email and password typed. The phishing company sells this fact as an amazing feature of its phishing platform. See bulletpoint 2. The phishing company only stores the times and the corporate user who accessed the form.
linkedin security privacy
asked Apr 25 '16 at 18:25
DunCat
1948
edited Nov 27 '17 at 19:59
asked Apr 25 '16 at 18:25
DunCat
1948
asked Apr 25 '16 at 18:25
DunCat
1948
asked Apr 25 '16 at 18:25
DunCat
1948
1948
closed as off-topic by gnat, IDrinkandIKnowThings, David K, user52889, NotMe Apr 25 '16 at 20:53
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – gnat, IDrinkandIKnowThings, David K, NotMe
closed as off-topic by gnat, IDrinkandIKnowThings, David K, user52889, NotMe Apr 25 '16 at 20:53
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – gnat, IDrinkandIKnowThings, David K, NotMe
24
You are paradoxically mad that they are poorly caring for the data that you carelessly gave away?
– Myles
Apr 25 '16 at 18:39
4
@AxeEffect: don't forget many people use the same password for their linkedin account and for their work related accounts. This phishing test makes a lot of sense from a security point of view.
– Étienne
Apr 25 '16 at 19:15
18
"The fake LinkedIn form did not use HTTPS connection. Credentials were sent to the outsourced phishing test company in bare plain text." - You know this much about how (un)sophisticated it is yet you still clicked it and provided your credentials? And now you're angry? This is insane. I would just change your password and in the future not click things.
– Dan
Apr 25 '16 at 19:25
3
Are you certain that your credentials were sent somewhere? Usually this test throws away what you entered in the form and after you hit submit takes you to a page that says something like "If we had been the bad guys your credentials would have been exposed." Unless of course, you were just successfully phished and the company wasn't running a test at all.
– ColleenV
Apr 25 '16 at 19:57
4
You got caught doing exactly what they were testing for. Now you're mad. At what? That you're that bad with password management, or that they know you're that bad with password management? Change your LinkedIn password and contemplate your performance. No one forced you to be careless. I'd bet the invitation came through your work email to begin with.
– Wesley Long
Apr 25 '16 at 21:02
 |Â
show 5 more comments
24
You are paradoxically mad that they are poorly caring for the data that you carelessly gave away?
– Myles
Apr 25 '16 at 18:39
4
@AxeEffect: don't forget many people use the same password for their linkedin account and for their work related accounts. This phishing test makes a lot of sense from a security point of view.
– Étienne
Apr 25 '16 at 19:15
18
"The fake LinkedIn form did not use HTTPS connection. Credentials were sent to the outsourced phishing test company in bare plain text." - You know this much about how (un)sophisticated it is yet you still clicked it and provided your credentials? And now you're angry? This is insane. I would just change your password and in the future not click things.
– Dan
Apr 25 '16 at 19:25
3
Are you certain that your credentials were sent somewhere? Usually this test throws away what you entered in the form and after you hit submit takes you to a page that says something like "If we had been the bad guys your credentials would have been exposed." Unless of course, you were just successfully phished and the company wasn't running a test at all.
– ColleenV
Apr 25 '16 at 19:57
4
You got caught doing exactly what they were testing for. Now you're mad. At what? That you're that bad with password management, or that they know you're that bad with password management? Change your LinkedIn password and contemplate your performance. No one forced you to be careless. I'd bet the invitation came through your work email to begin with.
– Wesley Long
Apr 25 '16 at 21:02
24
24
You are paradoxically mad that they are poorly caring for the data that you carelessly gave away?
– Myles
Apr 25 '16 at 18:39
You are paradoxically mad that they are poorly caring for the data that you carelessly gave away?
– Myles
Apr 25 '16 at 18:39
4
4
@AxeEffect: don't forget many people use the same password for their linkedin account and for their work related accounts. This phishing test makes a lot of sense from a security point of view.
– Étienne
Apr 25 '16 at 19:15
@AxeEffect: don't forget many people use the same password for their linkedin account and for their work related accounts. This phishing test makes a lot of sense from a security point of view.
– Étienne
Apr 25 '16 at 19:15
18
18
"The fake LinkedIn form did not use HTTPS connection. Credentials were sent to the outsourced phishing test company in bare plain text." - You know this much about how (un)sophisticated it is yet you still clicked it and provided your credentials? And now you're angry? This is insane. I would just change your password and in the future not click things.
– Dan
Apr 25 '16 at 19:25
"The fake LinkedIn form did not use HTTPS connection. Credentials were sent to the outsourced phishing test company in bare plain text." - You know this much about how (un)sophisticated it is yet you still clicked it and provided your credentials? And now you're angry? This is insane. I would just change your password and in the future not click things.
– Dan
Apr 25 '16 at 19:25
3
3
Are you certain that your credentials were sent somewhere? Usually this test throws away what you entered in the form and after you hit submit takes you to a page that says something like "If we had been the bad guys your credentials would have been exposed." Unless of course, you were just successfully phished and the company wasn't running a test at all.
– ColleenV
Apr 25 '16 at 19:57
Are you certain that your credentials were sent somewhere? Usually this test throws away what you entered in the form and after you hit submit takes you to a page that says something like "If we had been the bad guys your credentials would have been exposed." Unless of course, you were just successfully phished and the company wasn't running a test at all.
– ColleenV
Apr 25 '16 at 19:57
4
4
You got caught doing exactly what they were testing for. Now you're mad. At what? That you're that bad with password management, or that they know you're that bad with password management? Change your LinkedIn password and contemplate your performance. No one forced you to be careless. I'd bet the invitation came through your work email to begin with.
– Wesley Long
Apr 25 '16 at 21:02
You got caught doing exactly what they were testing for. Now you're mad. At what? That you're that bad with password management, or that they know you're that bad with password management? Change your LinkedIn password and contemplate your performance. No one forced you to be careless. I'd bet the invitation came through your work email to begin with.
– Wesley Long
Apr 25 '16 at 21:02
 |Â
show 5 more comments
3 Answers
3
active
oldest
votes
up vote
7
down vote
accepted
Whether it's legal or not (contact a lawyer in your area to verify this), I think it constitutes a gross breach of trust, as well as a breach of privacy.
The only mitigating factor might be if the email arrived via your work e-mail, in which case:
They will argue that a real attack might follow a similar pattern, and took place on their machines/email system
They will turn this situation around and say that you shouldn't have been on a networking site while at work in the first place
In any case, as you yourself stated, since you were not notified of the test's occurrence, or otherwise advised to improve your practices the overall result is simply that you feel betrayed - it did not actually help you, except in exposing your employer's duplicity. I want to underline that the problem is not that the test took place, it's that this third party "stole" personal information, sent it out over the web in the clear, and stored it in their databases. I believe that employees should have been advised that this happened, and reassured that their information will be deleted, or otherwise contained.
You could go complain to your manager, but realistically the chances that he's going to do anything about it are quite low. Keep in mind, I'm not saying that you shouldn't talk to him, just that he will most likely not have a say in how the company handles these things in the future.
Now that your eyes will have been opened to this company's treatment of your personal data you may wish to seek employment with a firm which treats its employees more honorably.
answered Apr 25 '16 at 18:34
AndreiROM
44.1k21101173
2
@enderland - most people's linkedin accounts are tied to their personal emails. If the OP received an email aimed at his personal account on a work machine, or sent to a personal device via a company server then that raises big issues (a company will likely have your personal email in their contact information). I also think that not notifying employees that a test was conducted, and that they should change their passwords is a very low blow. That being said, I did cover that if this all took place over company email/machines it changes things. Maybe i'll make that clearer.
– AndreiROM
Apr 25 '16 at 18:45
2
Maybe the company only notified individuals who clicked the email? After all, how did the OP find out about it? I see no reason why they should educate people who knew it was fake. It's sort of like explaining you shouldn't put your finger in sockets to people who didn't put their fingers in sockets.
– Dan
Apr 25 '16 at 19:34
2
@Dan - so how will anyone learn from their mistakes then? You have to attempt to educate users, otherwise each and every user will be a bigger liability.
– AndreiROM
Apr 25 '16 at 19:42
3
The others made no mistake when they didn't click the link so they wouldn't need to be told anything. The OP listed out several security concerns about the hack and as such learned a valuable lesson, I would think. He also knew it was a company sponsored hack after attempting to log in. So I'm not sure how much more the company would need to "educate" on this. At my last company they simply said, "X number of people clicked this phishing link as always don't click suspicious links." They knew a certain margin of people would click and it was within their estimated range. They can't get to zero
– Dan
Apr 25 '16 at 19:58
"Is social penetration testing ethical?". You think no, and have answered accordingly. Google the question, this is far from a consensus. I don't know what I think.
– Nathan Cooper
Nov 29 '17 at 2:48
suggest improvements |Â
up vote
3
down vote
Yes my previous employer would do this. They would send out phishing emails and test how many people logged in. What is unusual about your case is they tested it with a private linkedin account that isn't part of the company. I would consult with a lawyer on this one. I do know they have a right to test their own systems and unless the linkedin account was theirs then I see no reason why they would do this.
I hope you don't blame your company with this. I would simply change the password and just accept you made an embarrassing error. In the future I hope you don't click on links in some email no matter how tempting it is.
answered Apr 25 '16 at 19:15
Dan
4,752412
1
"unless the linkedin account was theirs then I see no reason why they would do this." Many people use the same password for private and work-related accounts, LinkedIn phishing is a very realistic way for a company to get hacked.
– Étienne
Apr 25 '16 at 19:32
3
@Étienne Any reasonable company should know that an attack can occur from various sources. That doesn't mean they have a right to test each of these external sources. A reasonable company should have enough safeguard in place to protect these sort of threats without invading someone's private life.
– Dan
Apr 25 '16 at 19:37
1
They decided to attack personal accounts instead of company ones. If they want to perform security tests (practice which I consider legitimate) they should do it at the company risk expense and not at the employee personal accounts expense. At the same time, if they would have tested company accounts they would have avoided an unnecessary personal account violation.
– DunCat
Apr 25 '16 at 19:37
@Dan I didn't say anything about privacy. I was commenting on the "I see no reason why they would do this": I see one reason: from a security point of view phishing via LinkedIn is a very realistic and widely used attack so this is a good security test from a technical point of view (see also zerofox.com/blog/linkedin-scam ).
– Étienne
Apr 25 '16 at 20:07
2
For a few hundred dollars, a lawyer would most likely advise the OP to change passwords, be more careful about clicking on links at work, and recommend not going any further with this.
– teego1967
Apr 25 '16 at 22:45
suggest improvements |Â
up vote
2
down vote
Most employers have a policy stating that they own any and all information sent from within their network and/or devices and that you have zero expectation of privacy, so if you were using personal credentials to log into a personal account from a company network and/or computer, you've given them the right to "own" that information. If you are concerned about your employer having personal information/credentials, then use your own time, devices, and internet connection while conducting personal business.
Now, if this DID happen using your personal device, email address, and internet connection, I might consider contacting an attorney.
answered Apr 25 '16 at 18:40
DVK
1,147612
2
This gets a bit complicated because many people might check their work emails on their own phone. If the email arrived on your work email then I would guess you have no reason to expect privacy just because you opened that email on your personal device. They can still monitor their own items no matter how you access it.
– Dan
Apr 25 '16 at 19:19
1
That is not 100% true in the case of the UK
– Pepone
Apr 25 '16 at 20:10
4
Just because an employer claims to "own" data you send through their network (even if it's in contract) doesn't mean they actually do. You may not have the power to transfer those rights: most service providers don't permit you to disclose passwords. They may not have the right to store the data regardless because it's disproportionate to their legitimate purposes.
– user52889
Apr 25 '16 at 20:50
Data can't actually be 'owned'. It can be protected by various types of intellectual property rights but I don't think any would apply to a password.
– bdsl
Jul 25 '16 at 22:28
1
Usually when they say tis, this mean that IT have the right to read your data, but that doesn't mean they have the right to go on your ban'k site and logon. Even if they did nothing with it. They have a right to see, not to use those informations when they're personal. But of course it will be different according to the country.
– Walfrat
Sep 26 '16 at 6:29
suggest improvements |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
7
down vote
accepted
Whether it's legal or not (contact a lawyer in your area to verify this), I think it constitutes a gross breach of trust, as well as a breach of privacy.
The only mitigating factor might be if the email arrived via your work e-mail, in which case:
They will argue that a real attack might follow a similar pattern, and took place on their machines/email system
They will turn this situation around and say that you shouldn't have been on a networking site while at work in the first place
In any case, as you yourself stated, since you were not notified of the test's occurrence, or otherwise advised to improve your practices the overall result is simply that you feel betrayed - it did not actually help you, except in exposing your employer's duplicity. I want to underline that the problem is not that the test took place, it's that this third party "stole" personal information, sent it out over the web in the clear, and stored it in their databases. I believe that employees should have been advised that this happened, and reassured that their information will be deleted, or otherwise contained.
You could go complain to your manager, but realistically the chances that he's going to do anything about it are quite low. Keep in mind, I'm not saying that you shouldn't talk to him, just that he will most likely not have a say in how the company handles these things in the future.
Now that your eyes will have been opened to this company's treatment of your personal data you may wish to seek employment with a firm which treats its employees more honorably.
answered Apr 25 '16 at 18:34
AndreiROM
44.1k21101173
2
@enderland - most people's linkedin accounts are tied to their personal emails. If the OP received an email aimed at his personal account on a work machine, or sent to a personal device via a company server then that raises big issues (a company will likely have your personal email in their contact information). I also think that not notifying employees that a test was conducted, and that they should change their passwords is a very low blow. That being said, I did cover that if this all took place over company email/machines it changes things. Maybe i'll make that clearer.
– AndreiROM
Apr 25 '16 at 18:45
2
Maybe the company only notified individuals who clicked the email? After all, how did the OP find out about it? I see no reason why they should educate people who knew it was fake. It's sort of like explaining you shouldn't put your finger in sockets to people who didn't put their fingers in sockets.
– Dan
Apr 25 '16 at 19:34
2
@Dan - so how will anyone learn from their mistakes then? You have to attempt to educate users, otherwise each and every user will be a bigger liability.
– AndreiROM
Apr 25 '16 at 19:42
3
The others made no mistake when they didn't click the link so they wouldn't need to be told anything. The OP listed out several security concerns about the hack and as such learned a valuable lesson, I would think. He also knew it was a company sponsored hack after attempting to log in. So I'm not sure how much more the company would need to "educate" on this. At my last company they simply said, "X number of people clicked this phishing link as always don't click suspicious links." They knew a certain margin of people would click and it was within their estimated range. They can't get to zero
– Dan
Apr 25 '16 at 19:58
"Is social penetration testing ethical?". You think no, and have answered accordingly. Google the question, this is far from a consensus. I don't know what I think.
– Nathan Cooper
Nov 29 '17 at 2:48
suggest improvements |Â
up vote
7
down vote
accepted
Whether it's legal or not (contact a lawyer in your area to verify this), I think it constitutes a gross breach of trust, as well as a breach of privacy.
The only mitigating factor might be if the email arrived via your work e-mail, in which case:
They will argue that a real attack might follow a similar pattern, and took place on their machines/email system
They will turn this situation around and say that you shouldn't have been on a networking site while at work in the first place
In any case, as you yourself stated, since you were not notified of the test's occurrence, or otherwise advised to improve your practices the overall result is simply that you feel betrayed - it did not actually help you, except in exposing your employer's duplicity. I want to underline that the problem is not that the test took place, it's that this third party "stole" personal information, sent it out over the web in the clear, and stored it in their databases. I believe that employees should have been advised that this happened, and reassured that their information will be deleted, or otherwise contained.
You could go complain to your manager, but realistically the chances that he's going to do anything about it are quite low. Keep in mind, I'm not saying that you shouldn't talk to him, just that he will most likely not have a say in how the company handles these things in the future.
Now that your eyes will have been opened to this company's treatment of your personal data you may wish to seek employment with a firm which treats its employees more honorably.
answered Apr 25 '16 at 18:34
AndreiROM
44.1k21101173
2
@enderland - most people's linkedin accounts are tied to their personal emails. If the OP received an email aimed at his personal account on a work machine, or sent to a personal device via a company server then that raises big issues (a company will likely have your personal email in their contact information). I also think that not notifying employees that a test was conducted, and that they should change their passwords is a very low blow. That being said, I did cover that if this all took place over company email/machines it changes things. Maybe i'll make that clearer.
– AndreiROM
Apr 25 '16 at 18:45
2
Maybe the company only notified individuals who clicked the email? After all, how did the OP find out about it? I see no reason why they should educate people who knew it was fake. It's sort of like explaining you shouldn't put your finger in sockets to people who didn't put their fingers in sockets.
– Dan
Apr 25 '16 at 19:34
2
@Dan - so how will anyone learn from their mistakes then? You have to attempt to educate users, otherwise each and every user will be a bigger liability.
– AndreiROM
Apr 25 '16 at 19:42
3
The others made no mistake when they didn't click the link so they wouldn't need to be told anything. The OP listed out several security concerns about the hack and as such learned a valuable lesson, I would think. He also knew it was a company sponsored hack after attempting to log in. So I'm not sure how much more the company would need to "educate" on this. At my last company they simply said, "X number of people clicked this phishing link as always don't click suspicious links." They knew a certain margin of people would click and it was within their estimated range. They can't get to zero
– Dan
Apr 25 '16 at 19:58
"Is social penetration testing ethical?". You think no, and have answered accordingly. Google the question, this is far from a consensus. I don't know what I think.
– Nathan Cooper
Nov 29 '17 at 2:48
suggest improvements |Â
up vote
7
down vote
accepted
up vote
7
down vote
accepted
Whether it's legal or not (contact a lawyer in your area to verify this), I think it constitutes a gross breach of trust, as well as a breach of privacy.
The only mitigating factor might be if the email arrived via your work e-mail, in which case:
They will argue that a real attack might follow a similar pattern, and took place on their machines/email system
They will turn this situation around and say that you shouldn't have been on a networking site while at work in the first place
In any case, as you yourself stated, since you were not notified of the test's occurrence, or otherwise advised to improve your practices the overall result is simply that you feel betrayed - it did not actually help you, except in exposing your employer's duplicity. I want to underline that the problem is not that the test took place, it's that this third party "stole" personal information, sent it out over the web in the clear, and stored it in their databases. I believe that employees should have been advised that this happened, and reassured that their information will be deleted, or otherwise contained.
You could go complain to your manager, but realistically the chances that he's going to do anything about it are quite low. Keep in mind, I'm not saying that you shouldn't talk to him, just that he will most likely not have a say in how the company handles these things in the future.
Now that your eyes will have been opened to this company's treatment of your personal data you may wish to seek employment with a firm which treats its employees more honorably.
answered Apr 25 '16 at 18:34
AndreiROM
44.1k21101173
Whether it's legal or not (contact a lawyer in your area to verify this), I think it constitutes a gross breach of trust, as well as a breach of privacy.
The only mitigating factor might be if the email arrived via your work e-mail, in which case:
They will argue that a real attack might follow a similar pattern, and took place on their machines/email system
They will turn this situation around and say that you shouldn't have been on a networking site while at work in the first place
In any case, as you yourself stated, since you were not notified of the test's occurrence, or otherwise advised to improve your practices the overall result is simply that you feel betrayed - it did not actually help you, except in exposing your employer's duplicity. I want to underline that the problem is not that the test took place, it's that this third party "stole" personal information, sent it out over the web in the clear, and stored it in their databases. I believe that employees should have been advised that this happened, and reassured that their information will be deleted, or otherwise contained.
You could go complain to your manager, but realistically the chances that he's going to do anything about it are quite low. Keep in mind, I'm not saying that you shouldn't talk to him, just that he will most likely not have a say in how the company handles these things in the future.
Now that your eyes will have been opened to this company's treatment of your personal data you may wish to seek employment with a firm which treats its employees more honorably.
answered Apr 25 '16 at 18:34
AndreiROM
44.1k21101173
edited Apr 25 '16 at 18:52
answered Apr 25 '16 at 18:34
AndreiROM
44.1k21101173
answered Apr 25 '16 at 18:34
AndreiROM
44.1k21101173
answered Apr 25 '16 at 18:34
AndreiROM
44.1k21101173
44.1k21101173
2
@enderland - most people's linkedin accounts are tied to their personal emails. If the OP received an email aimed at his personal account on a work machine, or sent to a personal device via a company server then that raises big issues (a company will likely have your personal email in their contact information). I also think that not notifying employees that a test was conducted, and that they should change their passwords is a very low blow. That being said, I did cover that if this all took place over company email/machines it changes things. Maybe i'll make that clearer.
– AndreiROM
Apr 25 '16 at 18:45
2
Maybe the company only notified individuals who clicked the email? After all, how did the OP find out about it? I see no reason why they should educate people who knew it was fake. It's sort of like explaining you shouldn't put your finger in sockets to people who didn't put their fingers in sockets.
– Dan
Apr 25 '16 at 19:34
2
@Dan - so how will anyone learn from their mistakes then? You have to attempt to educate users, otherwise each and every user will be a bigger liability.
– AndreiROM
Apr 25 '16 at 19:42
3
The others made no mistake when they didn't click the link so they wouldn't need to be told anything. The OP listed out several security concerns about the hack and as such learned a valuable lesson, I would think. He also knew it was a company sponsored hack after attempting to log in. So I'm not sure how much more the company would need to "educate" on this. At my last company they simply said, "X number of people clicked this phishing link as always don't click suspicious links." They knew a certain margin of people would click and it was within their estimated range. They can't get to zero
– Dan
Apr 25 '16 at 19:58
"Is social penetration testing ethical?". You think no, and have answered accordingly. Google the question, this is far from a consensus. I don't know what I think.
– Nathan Cooper
Nov 29 '17 at 2:48
suggest improvements |Â
2
@enderland - most people's linkedin accounts are tied to their personal emails. If the OP received an email aimed at his personal account on a work machine, or sent to a personal device via a company server then that raises big issues (a company will likely have your personal email in their contact information). I also think that not notifying employees that a test was conducted, and that they should change their passwords is a very low blow. That being said, I did cover that if this all took place over company email/machines it changes things. Maybe i'll make that clearer.
– AndreiROM
Apr 25 '16 at 18:45
2
Maybe the company only notified individuals who clicked the email? After all, how did the OP find out about it? I see no reason why they should educate people who knew it was fake. It's sort of like explaining you shouldn't put your finger in sockets to people who didn't put their fingers in sockets.
– Dan
Apr 25 '16 at 19:34
2
@Dan - so how will anyone learn from their mistakes then? You have to attempt to educate users, otherwise each and every user will be a bigger liability.
– AndreiROM
Apr 25 '16 at 19:42
3
The others made no mistake when they didn't click the link so they wouldn't need to be told anything. The OP listed out several security concerns about the hack and as such learned a valuable lesson, I would think. He also knew it was a company sponsored hack after attempting to log in. So I'm not sure how much more the company would need to "educate" on this. At my last company they simply said, "X number of people clicked this phishing link as always don't click suspicious links." They knew a certain margin of people would click and it was within their estimated range. They can't get to zero
– Dan
Apr 25 '16 at 19:58
"Is social penetration testing ethical?". You think no, and have answered accordingly. Google the question, this is far from a consensus. I don't know what I think.
– Nathan Cooper
Nov 29 '17 at 2:48
2
2
@enderland - most people's linkedin accounts are tied to their personal emails. If the OP received an email aimed at his personal account on a work machine, or sent to a personal device via a company server then that raises big issues (a company will likely have your personal email in their contact information). I also think that not notifying employees that a test was conducted, and that they should change their passwords is a very low blow. That being said, I did cover that if this all took place over company email/machines it changes things. Maybe i'll make that clearer.
– AndreiROM
Apr 25 '16 at 18:45
@enderland - most people's linkedin accounts are tied to their personal emails. If the OP received an email aimed at his personal account on a work machine, or sent to a personal device via a company server then that raises big issues (a company will likely have your personal email in their contact information). I also think that not notifying employees that a test was conducted, and that they should change their passwords is a very low blow. That being said, I did cover that if this all took place over company email/machines it changes things. Maybe i'll make that clearer.
– AndreiROM
Apr 25 '16 at 18:45
2
2
Maybe the company only notified individuals who clicked the email? After all, how did the OP find out about it? I see no reason why they should educate people who knew it was fake. It's sort of like explaining you shouldn't put your finger in sockets to people who didn't put their fingers in sockets.
– Dan
Apr 25 '16 at 19:34
Maybe the company only notified individuals who clicked the email? After all, how did the OP find out about it? I see no reason why they should educate people who knew it was fake. It's sort of like explaining you shouldn't put your finger in sockets to people who didn't put their fingers in sockets.
– Dan
Apr 25 '16 at 19:34
2
2
@Dan - so how will anyone learn from their mistakes then? You have to attempt to educate users, otherwise each and every user will be a bigger liability.
– AndreiROM
Apr 25 '16 at 19:42
@Dan - so how will anyone learn from their mistakes then? You have to attempt to educate users, otherwise each and every user will be a bigger liability.
– AndreiROM
Apr 25 '16 at 19:42
3
3
The others made no mistake when they didn't click the link so they wouldn't need to be told anything. The OP listed out several security concerns about the hack and as such learned a valuable lesson, I would think. He also knew it was a company sponsored hack after attempting to log in. So I'm not sure how much more the company would need to "educate" on this. At my last company they simply said, "X number of people clicked this phishing link as always don't click suspicious links." They knew a certain margin of people would click and it was within their estimated range. They can't get to zero
– Dan
Apr 25 '16 at 19:58
The others made no mistake when they didn't click the link so they wouldn't need to be told anything. The OP listed out several security concerns about the hack and as such learned a valuable lesson, I would think. He also knew it was a company sponsored hack after attempting to log in. So I'm not sure how much more the company would need to "educate" on this. At my last company they simply said, "X number of people clicked this phishing link as always don't click suspicious links." They knew a certain margin of people would click and it was within their estimated range. They can't get to zero
– Dan
Apr 25 '16 at 19:58
"Is social penetration testing ethical?". You think no, and have answered accordingly. Google the question, this is far from a consensus. I don't know what I think.
– Nathan Cooper
Nov 29 '17 at 2:48
"Is social penetration testing ethical?". You think no, and have answered accordingly. Google the question, this is far from a consensus. I don't know what I think.
– Nathan Cooper
Nov 29 '17 at 2:48
suggest improvements |Â
up vote
3
down vote
Yes my previous employer would do this. They would send out phishing emails and test how many people logged in. What is unusual about your case is they tested it with a private linkedin account that isn't part of the company. I would consult with a lawyer on this one. I do know they have a right to test their own systems and unless the linkedin account was theirs then I see no reason why they would do this.
I hope you don't blame your company with this. I would simply change the password and just accept you made an embarrassing error. In the future I hope you don't click on links in some email no matter how tempting it is.
answered Apr 25 '16 at 19:15
Dan
4,752412
1
"unless the linkedin account was theirs then I see no reason why they would do this." Many people use the same password for private and work-related accounts, LinkedIn phishing is a very realistic way for a company to get hacked.
– Étienne
Apr 25 '16 at 19:32
3
@Étienne Any reasonable company should know that an attack can occur from various sources. That doesn't mean they have a right to test each of these external sources. A reasonable company should have enough safeguard in place to protect these sort of threats without invading someone's private life.
– Dan
Apr 25 '16 at 19:37
1
They decided to attack personal accounts instead of company ones. If they want to perform security tests (practice which I consider legitimate) they should do it at the company risk expense and not at the employee personal accounts expense. At the same time, if they would have tested company accounts they would have avoided an unnecessary personal account violation.
– DunCat
Apr 25 '16 at 19:37
@Dan I didn't say anything about privacy. I was commenting on the "I see no reason why they would do this": I see one reason: from a security point of view phishing via LinkedIn is a very realistic and widely used attack so this is a good security test from a technical point of view (see also zerofox.com/blog/linkedin-scam ).
– Étienne
Apr 25 '16 at 20:07
2
For a few hundred dollars, a lawyer would most likely advise the OP to change passwords, be more careful about clicking on links at work, and recommend not going any further with this.
– teego1967
Apr 25 '16 at 22:45
suggest improvements |Â
up vote
3
down vote
Yes my previous employer would do this. They would send out phishing emails and test how many people logged in. What is unusual about your case is they tested it with a private linkedin account that isn't part of the company. I would consult with a lawyer on this one. I do know they have a right to test their own systems and unless the linkedin account was theirs then I see no reason why they would do this.
I hope you don't blame your company with this. I would simply change the password and just accept you made an embarrassing error. In the future I hope you don't click on links in some email no matter how tempting it is.
answered Apr 25 '16 at 19:15
Dan
4,752412
1
"unless the linkedin account was theirs then I see no reason why they would do this." Many people use the same password for private and work-related accounts, LinkedIn phishing is a very realistic way for a company to get hacked.
– Étienne
Apr 25 '16 at 19:32
3
@Étienne Any reasonable company should know that an attack can occur from various sources. That doesn't mean they have a right to test each of these external sources. A reasonable company should have enough safeguard in place to protect these sort of threats without invading someone's private life.
– Dan
Apr 25 '16 at 19:37
1
They decided to attack personal accounts instead of company ones. If they want to perform security tests (practice which I consider legitimate) they should do it at the company risk expense and not at the employee personal accounts expense. At the same time, if they would have tested company accounts they would have avoided an unnecessary personal account violation.
– DunCat
Apr 25 '16 at 19:37
@Dan I didn't say anything about privacy. I was commenting on the "I see no reason why they would do this": I see one reason: from a security point of view phishing via LinkedIn is a very realistic and widely used attack so this is a good security test from a technical point of view (see also zerofox.com/blog/linkedin-scam ).
– Étienne
Apr 25 '16 at 20:07
2
For a few hundred dollars, a lawyer would most likely advise the OP to change passwords, be more careful about clicking on links at work, and recommend not going any further with this.
– teego1967
Apr 25 '16 at 22:45
suggest improvements |Â
up vote
3
down vote
up vote
3
down vote
Yes my previous employer would do this. They would send out phishing emails and test how many people logged in. What is unusual about your case is they tested it with a private linkedin account that isn't part of the company. I would consult with a lawyer on this one. I do know they have a right to test their own systems and unless the linkedin account was theirs then I see no reason why they would do this.
I hope you don't blame your company with this. I would simply change the password and just accept you made an embarrassing error. In the future I hope you don't click on links in some email no matter how tempting it is.
answered Apr 25 '16 at 19:15
Dan
4,752412
Yes my previous employer would do this. They would send out phishing emails and test how many people logged in. What is unusual about your case is they tested it with a private linkedin account that isn't part of the company. I would consult with a lawyer on this one. I do know they have a right to test their own systems and unless the linkedin account was theirs then I see no reason why they would do this.
I hope you don't blame your company with this. I would simply change the password and just accept you made an embarrassing error. In the future I hope you don't click on links in some email no matter how tempting it is.
answered Apr 25 '16 at 19:15
Dan
4,752412
answered Apr 25 '16 at 19:15
Dan
4,752412
answered Apr 25 '16 at 19:15
Dan
4,752412
answered Apr 25 '16 at 19:15
Dan
4,752412
4,752412
1
"unless the linkedin account was theirs then I see no reason why they would do this." Many people use the same password for private and work-related accounts, LinkedIn phishing is a very realistic way for a company to get hacked.
– Étienne
Apr 25 '16 at 19:32
3
@Étienne Any reasonable company should know that an attack can occur from various sources. That doesn't mean they have a right to test each of these external sources. A reasonable company should have enough safeguard in place to protect these sort of threats without invading someone's private life.
– Dan
Apr 25 '16 at 19:37
1
They decided to attack personal accounts instead of company ones. If they want to perform security tests (practice which I consider legitimate) they should do it at the company risk expense and not at the employee personal accounts expense. At the same time, if they would have tested company accounts they would have avoided an unnecessary personal account violation.
– DunCat
Apr 25 '16 at 19:37
@Dan I didn't say anything about privacy. I was commenting on the "I see no reason why they would do this": I see one reason: from a security point of view phishing via LinkedIn is a very realistic and widely used attack so this is a good security test from a technical point of view (see also zerofox.com/blog/linkedin-scam ).
– Étienne
Apr 25 '16 at 20:07
2
For a few hundred dollars, a lawyer would most likely advise the OP to change passwords, be more careful about clicking on links at work, and recommend not going any further with this.
– teego1967
Apr 25 '16 at 22:45
suggest improvements |Â
1
"unless the linkedin account was theirs then I see no reason why they would do this." Many people use the same password for private and work-related accounts, LinkedIn phishing is a very realistic way for a company to get hacked.
– Étienne
Apr 25 '16 at 19:32
3
@Étienne Any reasonable company should know that an attack can occur from various sources. That doesn't mean they have a right to test each of these external sources. A reasonable company should have enough safeguard in place to protect these sort of threats without invading someone's private life.
– Dan
Apr 25 '16 at 19:37
1
They decided to attack personal accounts instead of company ones. If they want to perform security tests (practice which I consider legitimate) they should do it at the company risk expense and not at the employee personal accounts expense. At the same time, if they would have tested company accounts they would have avoided an unnecessary personal account violation.
– DunCat
Apr 25 '16 at 19:37
@Dan I didn't say anything about privacy. I was commenting on the "I see no reason why they would do this": I see one reason: from a security point of view phishing via LinkedIn is a very realistic and widely used attack so this is a good security test from a technical point of view (see also zerofox.com/blog/linkedin-scam ).
– Étienne
Apr 25 '16 at 20:07
2
For a few hundred dollars, a lawyer would most likely advise the OP to change passwords, be more careful about clicking on links at work, and recommend not going any further with this.
– teego1967
Apr 25 '16 at 22:45
1
1
"unless the linkedin account was theirs then I see no reason why they would do this." Many people use the same password for private and work-related accounts, LinkedIn phishing is a very realistic way for a company to get hacked.
– Étienne
Apr 25 '16 at 19:32
"unless the linkedin account was theirs then I see no reason why they would do this." Many people use the same password for private and work-related accounts, LinkedIn phishing is a very realistic way for a company to get hacked.
– Étienne
Apr 25 '16 at 19:32
3
3
@Étienne Any reasonable company should know that an attack can occur from various sources. That doesn't mean they have a right to test each of these external sources. A reasonable company should have enough safeguard in place to protect these sort of threats without invading someone's private life.
– Dan
Apr 25 '16 at 19:37
@Étienne Any reasonable company should know that an attack can occur from various sources. That doesn't mean they have a right to test each of these external sources. A reasonable company should have enough safeguard in place to protect these sort of threats without invading someone's private life.
– Dan
Apr 25 '16 at 19:37
1
1
They decided to attack personal accounts instead of company ones. If they want to perform security tests (practice which I consider legitimate) they should do it at the company risk expense and not at the employee personal accounts expense. At the same time, if they would have tested company accounts they would have avoided an unnecessary personal account violation.
– DunCat
Apr 25 '16 at 19:37
They decided to attack personal accounts instead of company ones. If they want to perform security tests (practice which I consider legitimate) they should do it at the company risk expense and not at the employee personal accounts expense. At the same time, if they would have tested company accounts they would have avoided an unnecessary personal account violation.
– DunCat
Apr 25 '16 at 19:37
@Dan I didn't say anything about privacy. I was commenting on the "I see no reason why they would do this": I see one reason: from a security point of view phishing via LinkedIn is a very realistic and widely used attack so this is a good security test from a technical point of view (see also zerofox.com/blog/linkedin-scam ).
– Étienne
Apr 25 '16 at 20:07
@Dan I didn't say anything about privacy. I was commenting on the "I see no reason why they would do this": I see one reason: from a security point of view phishing via LinkedIn is a very realistic and widely used attack so this is a good security test from a technical point of view (see also zerofox.com/blog/linkedin-scam ).
– Étienne
Apr 25 '16 at 20:07
2
2
For a few hundred dollars, a lawyer would most likely advise the OP to change passwords, be more careful about clicking on links at work, and recommend not going any further with this.
– teego1967
Apr 25 '16 at 22:45
For a few hundred dollars, a lawyer would most likely advise the OP to change passwords, be more careful about clicking on links at work, and recommend not going any further with this.
– teego1967
Apr 25 '16 at 22:45
suggest improvements |Â
up vote
2
down vote
Most employers have a policy stating that they own any and all information sent from within their network and/or devices and that you have zero expectation of privacy, so if you were using personal credentials to log into a personal account from a company network and/or computer, you've given them the right to "own" that information. If you are concerned about your employer having personal information/credentials, then use your own time, devices, and internet connection while conducting personal business.
Now, if this DID happen using your personal device, email address, and internet connection, I might consider contacting an attorney.
answered Apr 25 '16 at 18:40
DVK
1,147612
2
This gets a bit complicated because many people might check their work emails on their own phone. If the email arrived on your work email then I would guess you have no reason to expect privacy just because you opened that email on your personal device. They can still monitor their own items no matter how you access it.
– Dan
Apr 25 '16 at 19:19
1
That is not 100% true in the case of the UK
– Pepone
Apr 25 '16 at 20:10
4
Just because an employer claims to "own" data you send through their network (even if it's in contract) doesn't mean they actually do. You may not have the power to transfer those rights: most service providers don't permit you to disclose passwords. They may not have the right to store the data regardless because it's disproportionate to their legitimate purposes.
– user52889
Apr 25 '16 at 20:50
Data can't actually be 'owned'. It can be protected by various types of intellectual property rights but I don't think any would apply to a password.
– bdsl
Jul 25 '16 at 22:28
1
Usually when they say tis, this mean that IT have the right to read your data, but that doesn't mean they have the right to go on your ban'k site and logon. Even if they did nothing with it. They have a right to see, not to use those informations when they're personal. But of course it will be different according to the country.
– Walfrat
Sep 26 '16 at 6:29
suggest improvements |Â
up vote
2
down vote
Most employers have a policy stating that they own any and all information sent from within their network and/or devices and that you have zero expectation of privacy, so if you were using personal credentials to log into a personal account from a company network and/or computer, you've given them the right to "own" that information. If you are concerned about your employer having personal information/credentials, then use your own time, devices, and internet connection while conducting personal business.
Now, if this DID happen using your personal device, email address, and internet connection, I might consider contacting an attorney.
answered Apr 25 '16 at 18:40
DVK
1,147612
2
This gets a bit complicated because many people might check their work emails on their own phone. If the email arrived on your work email then I would guess you have no reason to expect privacy just because you opened that email on your personal device. They can still monitor their own items no matter how you access it.
– Dan
Apr 25 '16 at 19:19
1
That is not 100% true in the case of the UK
– Pepone
Apr 25 '16 at 20:10
4
Just because an employer claims to "own" data you send through their network (even if it's in contract) doesn't mean they actually do. You may not have the power to transfer those rights: most service providers don't permit you to disclose passwords. They may not have the right to store the data regardless because it's disproportionate to their legitimate purposes.
– user52889
Apr 25 '16 at 20:50
Data can't actually be 'owned'. It can be protected by various types of intellectual property rights but I don't think any would apply to a password.
– bdsl
Jul 25 '16 at 22:28
1
Usually when they say tis, this mean that IT have the right to read your data, but that doesn't mean they have the right to go on your ban'k site and logon. Even if they did nothing with it. They have a right to see, not to use those informations when they're personal. But of course it will be different according to the country.
– Walfrat
Sep 26 '16 at 6:29
suggest improvements |Â
up vote
2
down vote
up vote
2
down vote
Most employers have a policy stating that they own any and all information sent from within their network and/or devices and that you have zero expectation of privacy, so if you were using personal credentials to log into a personal account from a company network and/or computer, you've given them the right to "own" that information. If you are concerned about your employer having personal information/credentials, then use your own time, devices, and internet connection while conducting personal business.
Now, if this DID happen using your personal device, email address, and internet connection, I might consider contacting an attorney.
answered Apr 25 '16 at 18:40
DVK
1,147612
Most employers have a policy stating that they own any and all information sent from within their network and/or devices and that you have zero expectation of privacy, so if you were using personal credentials to log into a personal account from a company network and/or computer, you've given them the right to "own" that information. If you are concerned about your employer having personal information/credentials, then use your own time, devices, and internet connection while conducting personal business.
Now, if this DID happen using your personal device, email address, and internet connection, I might consider contacting an attorney.
answered Apr 25 '16 at 18:40
DVK
1,147612
answered Apr 25 '16 at 18:40
DVK
1,147612
answered Apr 25 '16 at 18:40
DVK
1,147612
answered Apr 25 '16 at 18:40
DVK
1,147612
1,147612
2
This gets a bit complicated because many people might check their work emails on their own phone. If the email arrived on your work email then I would guess you have no reason to expect privacy just because you opened that email on your personal device. They can still monitor their own items no matter how you access it.
– Dan
Apr 25 '16 at 19:19
1
That is not 100% true in the case of the UK
– Pepone
Apr 25 '16 at 20:10
4
Just because an employer claims to "own" data you send through their network (even if it's in contract) doesn't mean they actually do. You may not have the power to transfer those rights: most service providers don't permit you to disclose passwords. They may not have the right to store the data regardless because it's disproportionate to their legitimate purposes.
– user52889
Apr 25 '16 at 20:50
Data can't actually be 'owned'. It can be protected by various types of intellectual property rights but I don't think any would apply to a password.
– bdsl
Jul 25 '16 at 22:28
1
Usually when they say tis, this mean that IT have the right to read your data, but that doesn't mean they have the right to go on your ban'k site and logon. Even if they did nothing with it. They have a right to see, not to use those informations when they're personal. But of course it will be different according to the country.
– Walfrat
Sep 26 '16 at 6:29
suggest improvements |Â
2
This gets a bit complicated because many people might check their work emails on their own phone. If the email arrived on your work email then I would guess you have no reason to expect privacy just because you opened that email on your personal device. They can still monitor their own items no matter how you access it.
– Dan
Apr 25 '16 at 19:19
1
That is not 100% true in the case of the UK
– Pepone
Apr 25 '16 at 20:10
4
Just because an employer claims to "own" data you send through their network (even if it's in contract) doesn't mean they actually do. You may not have the power to transfer those rights: most service providers don't permit you to disclose passwords. They may not have the right to store the data regardless because it's disproportionate to their legitimate purposes.
– user52889
Apr 25 '16 at 20:50
Data can't actually be 'owned'. It can be protected by various types of intellectual property rights but I don't think any would apply to a password.
– bdsl
Jul 25 '16 at 22:28
1
Usually when they say tis, this mean that IT have the right to read your data, but that doesn't mean they have the right to go on your ban'k site and logon. Even if they did nothing with it. They have a right to see, not to use those informations when they're personal. But of course it will be different according to the country.
– Walfrat
Sep 26 '16 at 6:29
2
2
This gets a bit complicated because many people might check their work emails on their own phone. If the email arrived on your work email then I would guess you have no reason to expect privacy just because you opened that email on your personal device. They can still monitor their own items no matter how you access it.
– Dan
Apr 25 '16 at 19:19
This gets a bit complicated because many people might check their work emails on their own phone. If the email arrived on your work email then I would guess you have no reason to expect privacy just because you opened that email on your personal device. They can still monitor their own items no matter how you access it.
– Dan
Apr 25 '16 at 19:19
1
1
That is not 100% true in the case of the UK
– Pepone
Apr 25 '16 at 20:10
That is not 100% true in the case of the UK
– Pepone
Apr 25 '16 at 20:10
4
4
Just because an employer claims to "own" data you send through their network (even if it's in contract) doesn't mean they actually do. You may not have the power to transfer those rights: most service providers don't permit you to disclose passwords. They may not have the right to store the data regardless because it's disproportionate to their legitimate purposes.
– user52889
Apr 25 '16 at 20:50
Just because an employer claims to "own" data you send through their network (even if it's in contract) doesn't mean they actually do. You may not have the power to transfer those rights: most service providers don't permit you to disclose passwords. They may not have the right to store the data regardless because it's disproportionate to their legitimate purposes.
– user52889
Apr 25 '16 at 20:50
Data can't actually be 'owned'. It can be protected by various types of intellectual property rights but I don't think any would apply to a password.
– bdsl
Jul 25 '16 at 22:28
Data can't actually be 'owned'. It can be protected by various types of intellectual property rights but I don't think any would apply to a password.
– bdsl
Jul 25 '16 at 22:28
1
1
Usually when they say tis, this mean that IT have the right to read your data, but that doesn't mean they have the right to go on your ban'k site and logon. Even if they did nothing with it. They have a right to see, not to use those informations when they're personal. But of course it will be different according to the country.
– Walfrat
Sep 26 '16 at 6:29
Usually when they say tis, this mean that IT have the right to read your data, but that doesn't mean they have the right to go on your ban'k site and logon. Even if they did nothing with it. They have a right to see, not to use those informations when they're personal. But of course it will be different according to the country.
– Walfrat
Sep 26 '16 at 6:29
suggest improvements |Â
24
You are paradoxically mad that they are poorly caring for the data that you carelessly gave away?
– Myles
Apr 25 '16 at 18:39
4
@AxeEffect: don't forget many people use the same password for their linkedin account and for their work related accounts. This phishing test makes a lot of sense from a security point of view.
– Étienne
Apr 25 '16 at 19:15
18
"The fake LinkedIn form did not use HTTPS connection. Credentials were sent to the outsourced phishing test company in bare plain text." - You know this much about how (un)sophisticated it is yet you still clicked it and provided your credentials? And now you're angry? This is insane. I would just change your password and in the future not click things.
– Dan
Apr 25 '16 at 19:25
3
Are you certain that your credentials were sent somewhere? Usually this test throws away what you entered in the form and after you hit submit takes you to a page that says something like "If we had been the bad guys your credentials would have been exposed." Unless of course, you were just successfully phished and the company wasn't running a test at all.
– ColleenV
Apr 25 '16 at 19:57
4
You got caught doing exactly what they were testing for. Now you're mad. At what? That you're that bad with password management, or that they know you're that bad with password management? Change your LinkedIn password and contemplate your performance. No one forced you to be careless. I'd bet the invitation came through your work email to begin with.
– Wesley Long
Apr 25 '16 at 21:02