Breach at third party supplier impacted General Electric employees

Multinational technology giant General Electric (GE) recently confirmed that personal information of its former and present employees was exposed after a third party supplier suffered unauthorised access to one of its corporate email accounts.

General Electric recently sent across a notice confirming that personally identifiable information of current and former employees, as well as beneficiaries, were leaked through one of their service providers Canon Business Process Services (Canon).

According to an incident report published by the Fortune 500 technology giant, this data security incident took place approximately between February 3 – 14 this year and involved an unauthorised party gaining access to an email account that contained details and documents of former and current GE employees and beneficiaries that were maintained in Canon’s system. GE was notified about this incident on 28 February 2020.

GE mentioned that the data security incident exposed sensitive personal information that was uploaded by or for current and former GE employees and "beneficiaries entitled to benefits in connection with Canon’s workflow routing service."

General Electric added in the report that the unauthorised party gained access to “direct deposit forms, driver’s licenses, passports, birth certificates, marriage certificates, death certificates, medical child support orders, tax withholding forms, beneficiary designation forms and applications for benefits such as retirement, severance and death benefits with related forms and documents, may have included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and other information contained in the relevant forms.”

GE has, however, confirmed that this breach has not affected their core system. The company is now working with Canon and taking necessary precautions to avoid such incidents in future. It is also trying to identify the affected employees and beneficiaries.

To mitigate the situation, GE confirmed that affected users will be entitled to get one free credit report annually from each of the nationwide credit reporting agencies. Furthermore, Canon will offer identity protection and credit monitoring services for two years at no extra cost through Experian. Affected individuals can claim these advantages by June 30, 2020.

When contacted by Bleeping Computer, a spokesperson from GE confirmed that its supplier- Canon Business Process Services, Inc did suffer an unauthorised access but refused to disclose the number of people affected by the breach.

“We are aware of a data security incident experienced by one of GE’s suppliers, Canon Business Process Services, Inc. We understand certain personal information on Canon’s systems may have been accessed by an unauthorized individual. Protection of personal information is a top priority for GE, and we are taking steps to notify the affected employees and former employees,” the spokesperson said.

Running access control programmes and anonymising sensitive data can prevent massive data exposures

Commenting on the data security incident suffered by Canon Business Process Services, Niamh Vianney Muldoon, Senior Director of Trust and Security at OneLogin, told TEISS that the incident highlights the fact that organisations are still too casual with sensitive data.

"Organisations need to implement a security-first culture, through processes which enforce the change of default passwords, blacklist commonly used passwords and implement Multi-Factor Authentication (MFA).

"Businesses that are using cloud storage should have access control programmes and processes in place that allow them to better manage every single identity that touches corporate data, protecting against threats and cloud malware in real-time. This will help them understand who is accessing sensitive data and reduce the risk of data breaches like this materialising," Muldoon added.

Jonathan Deveaux, head of enterprise data protection at comforte AG, said that no matter how much training and awareness is provided, the human element continues to remain the weakest link in the cybersecurity chain.

"The problem is not entirely the employees’ faults, as hackers and attackers are improving their tactics to trick employees into clicking on links infected with malware. A determined attacker may go as far as designing an email to look authentic and even read as if clicking on the link is the right thing to do.

"Unfortunately, in this case, hackers obtained the credentials for a corporate email. This means that they had access to everything that the employee did. Instances like this are easily avoided through good account hygiene, however they are extremely difficult to mitigate once it has occurred," he said.

"Companies need to take a more active approach to safeguard their businesses from cyber-attacks. AI can help determine if emails should be captured and quarantined before even getting to employees’ inboxes.

"De-identifying sensitive data can also ensure that the data a cyber attacker is usually after, has no exploitable value. Continued awareness training, education, and communication can help reduce the likelihood of humans clicking on malware-laced links, even though the possibility is highest among threat vectors," he added.

ALSO READ: Third-party vendor leaked personal data of Palo Alto Networks’ employees

MORE ABOUT: ,