In a breach notification letter posted online, General Electric (GE) said one of their service providers Canon Business Process Services experienced a data breach last month. The breach exposed certain personal data on past and present GE employees, as well as their beneficiaries.
According to the letter, GE was notified of the breach by Canon on February 28, 2020.
Canon confirmed that between February 3 – 14, 2020, an unauthorized party gained access to an email account that contained documents with sensitive employee and beneficiary personal information. The data was maintained on Canon’s internal systems.
“Canon has indicated that the affected documents, which contained certain personal information, were uploaded by or for GE employees, former employees and beneficiaries entitled to benefits in connection with Canon’s workflow routing service,” GE stated in the letter.
The relevant data contained in the stolen documents included:
- Direct deposit forms
- Driver’s licenses
- Birth certificates
- Marriage certificates
- Death certificates
- Medical child support orders
- Tax withholding forms
- Beneficiary designation forms
- Applications for benefits such as retirement
- Severance and death benefits forms.
In addition, severance and death benefits related forms may have also contained:
- Social Security numbers
- Driver’s license numbers
- Bank account numbers
- Passport numbers
- Dates of birth.
GE also confirmed that Canon has taken steps to secure its systems and has retained a security expert to conduct a forensics investigation.
GE also said their own systems were not compromised in the attack.
Although details on the cause of breach were not disclosed, the incident could have been caused by a phishing attack and/or password stealing malware targeting Canon employees who had access to HR or sensitive systems.
The incident highlighted the critical need for strong security awareness training for employees on how to guard against phishing attacks. In addition, email should be protected by multi-factor authentication in the event a user’s password is stolen.
Finally, this issue reinforces the need for organizations to make sure their third party providers also have strong security protections in place to protect sensitive employee or customer data.