Past and present employees of General Electric (GE) are learning that their sensitive information has been exposed by a data breach at a third-party service provider. Fortune 500 company GE says it was recently informed of a security breach at one of its partners, Canon Business Process Services. According to GE, between approximately February 3 - 14, 2020, an unauthorized party managed to gain access to a Canon email account that contained sensitive information on current and former employees, as well as beneficiaries. What the hackers managed to access was effectively a treasure trove of information which could be sold on underground forums to other criminals and fraudsters, or used to target individuals with convincing scam emails and phishing attacks. Information about GE employees gained by the hack of the Canon email account included:
- direct deposit forms
- driver’s licenses
- passports
- birth certificates
- marriage certificates
- death certificates
- medical child support orders
- tax withholding forms
- beneficiary designation forms
- applications for benefits such as retirement, severance and death benefits with related forms and documents
According to GE's data breach notification letter, exposed forms may have included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and other information.
And the problem is this. When your password gets compromised after a data breach, you can change your password. Of course it can be a pain and a nuisance to change your password, but it's not an insurmountable problem - and if you haven't made the mistake of reusing the same password in multiple places the impact of the breach is limited. But just try changing the details contained on your passport, your date of birth, your bank account details, or your social security number... GE says that, following the discovery of the breach, its partner Canon "took steps to secure its systems and determine the nature of the issue" and emphasises that GE's own infrastructure was not compromised by the attackers. That's good, but it's not much consolation for the unknown number of past and present GE employees and their beneficiaries who have had their personal information fall into the hands of hackers. Data breaches like this emphasise that companies don't just need to worry about their own security, but also what protections have been put in place by their partners to safeguard any sensitive data which has been shared with them. In all likelihood, the attackers who compromised the Canon email account to access GE workers' sensitive information did so through an elementary attack - perhaps phishing for an email login password or using keyboard-logging malware to steal passwords. The breach might have been stopped in the first place if additional measures had been put in place to protect Canon's systems from unauthorised access (multi-factor authentication, for instance?), and through user security awareness training. There are few companies that can manage their day-to-day business without the assistance of third parties. All firms providing services to others need to take their responsibilities seriously and ensure that they are doing everything possible to ensure that their customers' data cannot ever be accessed by unauthorised parties.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
