It’s important to protect every email account at an organization, but the concern is usually that those accounts will provide a crack in the defenses through which hackers can move laterally and eventually get to the good stuff. It would be an outrageous lapse of security awareness to have an email account holding scores of sensitive personal records, including financial information and scans of identity documents, ready to be harvested immediately by anyone who manages to phish that account. Yet that seems to be exactly what has happened in a recent third party data breach at General Electric (GE) contractor Canon Business Process Services.
The third party data breach has reportedly exposed reams of personal information including direct deposit forms and tax forms containing social security numbers, scans of birth certificates and passports, applications for benefits, court orders and photos of driver’s licenses. GE did not specify how many of its employees were impacted, but the company currently has about 205,000 employees along with hundreds of thousands of former employees who continue to receive benefits.
Yet another third-party data breach
The Fortune 500 electronics conglomerate has disclosed that the third party data breach occurred between February 3 and 14 of this year. The company did not become aware of the breach until February 28.
The unknown party gained access to the workflow routing service of Canon BPS, a subdivision of the camera giant that specializes in handling outsourced human resources tasks such as document processing and accounts payable.
GE’s data breach notification letter, which is dated March 20, was thin on details about the hack but did admit to the wide range of sensitive personal document types that were exposed. It is unclear if these were stored in a breached email account, or if the account that was compromised contained some sort of automatic authentication or plaintext login information that allowed attackers access to Canon’s systems. Without these details and without GE putting out a specific number, it is impossible to tell how many of their current and former employees had their information exposed.
In response to the breach, Canon offered current and former GE employees two years of free credit monitoring through Experian IdentityWorks, which includes some amount of identity theft insurance coverage.
More damaging than the usual breach
This third party data breach contains a literal treasure trove of data for a cyber criminal, and is extremely damaging for those impacted by it.
It appears that the victims are those who uploaded documents to GE as part of the process of obtaining benefits, and possibly those who completed online employment applications as well. The credit monitoring that is being offered will help to protect against the inevitable fraud attempts, which are likely to be more successful than usual given the raw amount of information that was available. But some employees face a more immediate threat of having their bank accounts drained, given that routing numbers appear to have been included on some of the documents combined all of the information and scans one would need to commit identity fraud and gain direct access.
It would not be surprising to see lawsuits eventually emerge over negligent handling of all of this sensitive personal data.
Lessons from the GE / Canon BPS data breach
Though it is admittedly an extreme example, this incident is an illustration of how much damage can be done when just one email account is compromised in a third party data breach.
It is also yet another reminder of the importance of supply chain security. It appears that GE was having both employees and former staff upload documents directly to Canon BPS. While it’s not uncommon for HR and payroll operations to outsource the processing of sensitive documents, GE bears a great deal of responsibility in reviewing how contractors are handling sensitive data and ensuring that incidents like these do not happen.
The first line of defense against a third party data breach is the inbox. Organizations face the increasingly complicated challenge of trying to check human nature as targeted phishing attempts become more sophisticated and authentic-looking. While employee training and awareness remains vital, Jonathan Deveaux (Head of Enterprise Data Protection at comforte AG) points out that this is probably no longer enough and that more advanced technological measures are prudent: “AI can help determine if emails should be captured and quarantined before even getting to employees’ inboxes. De-identifying sensitive data can also ensure that the data a cyber attacker is usually after, has no exploitable value.”
In terms of securing against a third party data breach, this incident illustrates the need for screening of not just the traditional IT countermeasures and posture of contractors but also the susceptibility of individual employees that have access to sensitive data. Elad Shapira, Head of Research at Panorays: “This cyber incident underscores why it’s so important for companies to thoroughly assess their service providers’ cyber posture, and why that assessment must also take into account the human factor. Specifically, companies should be sure to check the likelihood of employees to be targeted for an attack based on factors like social media presence, employee security awareness and the presence of a dedicated security team.”
Data exposed in GE’s third-party #databreach is damaging as the contractor receives wide range of sensitive personal documents from their employees. #respectdata Click to Tweet
The very first supply chain security recommendation that the National Institute of Standards and Technology makes is to “develop defenses under the assumption that you will be breached.” Had this philosophy been extended to data handling and organization-wide security awareness at both GE and Canon BPS, it is very unlikely that this third party data breach would have been as damaging. This trove of sensitive information would not have been either sitting in an email account, sharing the same access credentials as the compromised account, or have been accessible by a login stored in plain text in someone’s inbox. A company with responsible cyber security practices would have done everything possible to ensure that the front door was not left wide open in this way, and it is likely that GE will be paying a hefty toll for it in the near future.