The Information Security team at logistics firm Hargreaves Distribution has marked the successful completion of its quarterly phishing awareness test by immediately distributing the results to all 847 employees in an unencrypted Excel file attached to a mass email.

The spreadsheet, which contains the names, departments, and click-through rates of every member of staff who fell for the simulated attack, was sent from the shared inbox [email protected] at 4:47pm on Friday afternoon. It arrived with the subject line “IMPORTANT: Q1 Security Test Results – Please Review” and included helpful colour-coded rankings showing which individuals posed the greatest security risk to the organisation.

Martin Eccleston, Head of IT Security, said the test had exceeded all expectations. “We’re delighted that only 34 per cent of employees clicked on the fake invoice link, down from 41 per cent in December,” he explained. “It shows our training programme is really bearing fruit. We wanted to share these encouraging figures with everyone as quickly as possible.”

The spreadsheet also contains a tab labelled “Repeat Offenders” which lists the seventeen employees who have failed all four phishing tests in the past year, along with their direct line numbers and a column titled “Disciplinary Action Recommended”.

Several members of staff have already replied-all to express concern about the distribution method. Jennifer Walters, a compliance officer in the Birmingham office, wrote that storing such sensitive HR data in an unprotected file accessible to the entire company might contravene several data protection policies, possibly including one or two laws.

“I appreciate the irony isn’t lost on anyone,” Walters noted in her email, which was also sent to all 847 recipients. “But I thought it worth mentioning that this spreadsheet has now been forwarded to at least six personal email addresses that I can see in the cc field, including what appears to be someone’s grandmother.”

Eccleston responded that the security team had considered password-protecting the document but decided this would create unnecessary barriers to transparency. “We’re trying to foster a culture of openness around cyber security,” he said. “Besides, it’s only internal data. It’s not as though we’ve shared anyone’s actual passwords or anything sensitive.”

The spreadsheet has since been downloaded 1,203 times and shared to three separate WhatsApp groups. IT Support has received forty-two separate requests asking why the file triggers a warning when opened, and whether employees should enable macros to view the embedded charts showing their individual vulnerability scores.

A follow-up email is expected next week reminding staff not to open unsolicited attachments.