General Electric (GE) announced last week that the confidential records of certain staff might have been exposed as a consequence of a loss of data experienced by Canon Business Process Services.
In a notification of violation sent to concerned parties and forwarded to the California Attorney General, GE claimed that an unauthorized party had access to a Canon email address containing records belonging to some of its employees.
The breach happened between 3 and 14 February and culminated in the disclosure of details belonging to current and former GE workers and beneficiaries entitled to benefits. The compromised email address contained conception, marriage, and death records, direct deposit documents, visas, driver’s licenses, tax reports, professional child care orders, and benefit-related documents.
The details released include names, addresses, social security numbers, driver’s license numbers, bank account numbers, dates of birth and passport numbers.
Canon Business Process Solutions offers information management tools and GE states that it utilizes these systems to manage employee records. Documents revealed in this data loss have been transmitted to or by GE staff and beneficiaries’ in accordance with Canon’s workflow routing program.’ GE claims its internal networks are not impacted by the accident.
Canon has not disclosed any details regarding the violation so it is unknown if GE is the only consumer harmed by the violation.
“We understand that Canon took steps to secure its systems and determine the nature of the issue. Canon also retained a data security expert to conduct a forensic investigation,” GE said.
GE was informed of the accident on 28 February and is seeking to figure out how the breach happened in order to introduce steps to deter similar accidents in the future.
“It seems that no matter how much training and awareness is provided, the human element remains the weakest link in the cybersecurity chain. The problem is not entirely the employees’ faults, as hackers and attackers are improving their tactics to trick employees into clicking on links infected with malware. A determined attacker may go as far as designing an email to look authentic and even read as if clicking on the link is the right thing to do,” Jonathan Deveaux, head of enterprise data protection at comforte AG, told.
“Unfortunately, in this case, hackers obtained the credentials for a corporate email. This means that they had access to everything that the employee did. Instances like this are easily avoided through good account hygiene, however they are extremely difficult to mitigate once it has occurred,” Deveaux added.