Google has begun notifying some of its employees that their information was compromised by one of its third-party vendors. In a sample breach notification letter Softpedia obtained from the Office of the Attorney General for the State of California, the tech giant provides some details on what transpired in the incident:
"We recently learned that a third-party vendor that provides Google with benefits management services mistakenly sent a document containing certain personal information of some of our Googlers to a benefits manager at another company. Promptly upon viewing the document, the benefits manager deleted it and notified Google’s vendor of the issue. After the vendor informed us of the issue, we conducted an investigation to determine the facts."
That document is believed to have contained the affected employees' names and Social Security Numbers. It did not include information regarding their benefits or on their dependents/family members. Google is confident that no malicious actors gained access to the exposed information.
"We have no evidence that any of your information has been misused as a result of this incident, and computer access logs indicate that no other individuals viewed your information before it was deleted. In addition, the benefits manager has confirmed that she did not save, download, disclose or otherwise use the information contained in the document."
The Menlo Park-based company is currently working with the vendor to ensure similar security incidents do not occur again. In the meantime, it is offering all affected employees free identity protection and credit monitoring services. This breach helps illuminate the growing security threat suppliers and third-party vendors pose to organizations. In a recent survey of some 320 IT professionals sponsored by Tripwire, 81 percent of respondents said they were confident in their organization's ability to protect sensitive data. Just over half (55 percent) said the same about their suppliers and vendors, which could explain why 43.6 percent of participants said their organizations require their partners to pass a security audit if they are to sign with them. For more information on the perceived threat posed by partners and suppliers, please click here.