A Boeing employee inadvertently leaked the personal information of 36,000 of his co-workers late last year when he emailed a company spreadsheet to his non-Boeing spouse.
News of the breach surfaced earlier this month after a letter (.PDF) from Boeing’s Deputy Chief Privacy Officer Marie Olson, to the Attorney General for the state of Washington Bob Ferguson, was posted to Ferguson’s website.
Forty-seven states, including Washington, have legislation on the books that requires companies or government entities to disclose whenever there’s been a breach of personally identifiable information. Under Washington law, companies are required to notify the Attorney General’s office if the incident affects more than 500 of the state’s residents. In this instance Boeing claims the information of 7,288 Washington residents may have been impacted.
According to the letter, the breach occurred on Nov. 21, 2016 after a Boeing employee encountered a formatting issue and emailed a spreadsheet to his spouse who didn’t work at the company. The file contained sensitive, personally identifiable information of 36,000 of the aircraft manufacturer’s employees. The file included the names, places of birth, BEMSID, or employee ID numbers, and accounting department codes. The spreadsheet also included Social security numbers and dates of birth, albeit in “hidden columns,” according to Olson.
Spreadsheet software, such as Microsoft’s Excel, usually allows authors to make select information hidden, usually to prevent that data from being seen, changed, or deleted.
According to Olson’s letter, the breach was discovered earlier this year, on Jan. 9, but the company didn’t begin to inform employees until a month later, Feb. 8.
In the letter to Ferguson, Boeing claims it destroyed copies of the spreadsheet and carried out a “forensic examination” of both the Boeing employee’s computer and his spouse’s to ensure it was deleted.
“Both the employee and his spouse have confirmed to us that they have not distributed or used any of the information,” Olson writes.
For its part, Boeing, the second largest defense contractor in the world after Lockheed Martin, said it doesn’t believe its employee’s data has been or will be used inappropriately. Regardless, as is often customary in incidents like this, the company is offering employees two years access to a free identity theft protection service.
According to a separate letter Boeing sent customers earlier this month, it plans to require additional training around how to adequately handle personal information in wake of the breach. The company says it may implement additional controls around sensitive data in the near future, although it’s unclear what those controls might be.
When reached Tuesday, a spokesperson from the company told Threatpost it believed the risk to employees was low.
“We have notified all affected parties about the incident. We believe it is contained and the risk of harm is very low,” Boeing said.
The incident harkens back to a series of incidents Boeing suffered in the mid-2000s when laptops containing employee data were stolen on three separate occasions. Those laptops, stolen in November 2005, April 2006, and December 2006, contained sensitive information on 160,000, 3,500, and 382,000 employees, respectively.
According to the Identity Theft Resource Center’s February 22 Data Breach Report (.PDF) there have already been 187 data breaches, exposing 1,094,981 records in 2017 so far.
Boeing’s figure of 36,000 individuals pales in comparison to fast food chain Arby’s, which confirmed in early February that more than 355,000 of its customers may have been affected by a breach. The Georgia-based restaurant said it discovered in mid-January that malicious software had been installed on its payment card systems nationwide. Arby’s said it waited until this month to disclose the breach at the behest of the FBI.
This article was updated on March 1 to include a statement from Boeing.