A phisher’s treasure chest of personally identifiable information (PII) for General Electric employees has been exposed – thanks to the compromise of one of the company’s partners, Canon Business Process Services.
In a data-breach notice filed with the State of California, General Electric (GE) noted that it contracts with Canon to process various documents related to human resources matters. The impact of the breach effects current and former GE employees and beneficiaries entitled to benefits, the conglomerate said. The documents were uploaded directly to Canon’s systems.
GE said that a security incident at Canon in February exposed a wide-ranging number of sensitive HR-related documents. These include divorce, death and marriage certificates; benefits information (beneficiary designation forms and applications for benefits such as retirement, severance and death benefits); and even medical child support orders. Other hacked info includes direct-deposit forms, driver’s licenses, passports, tax withholding forms, names, addresses, Social Security numbers, bank-account numbers, dates of birth and other information.
It’s a jackpot for an attacker. The information could be sold in underground criminal forums, or used to craft highly convincing phishing and scam emails, or used to carry out identity theft and fraud.
GE was notified on February 28 that Canon had suffered the breach. According to the disclosure notice, between February 3 and 14, an unauthorized adversary was able to compromise an internal Canon email account, which housed messages containing the GE-related documents.
“We understand that Canon took steps to secure its systems and determine the nature of the issue,” the Fortune 500 company said in the disclosure notice. “GE systems, including your personal information in our systems, have not been affected by the Canon data security incident. We will work hard to understand how the unauthorized individual was able to access Canon’s systems.”
No further information was revealed about how the attacker managed to compromise the email account, nor about how many people are affected by the incident. As of its last earnings report, GE had 205,000 employees across its subsidiaries, which include GE Additive, GE Aviation, GE Capital, GE Digital, GE Global Research, GE Healthcare, GE Lighting, GE Power, GE Renewable Energy and GE Ventures.
Threatpost reached out to GE for more information.
“This could have occurred either through malware on the employee’s computer, through a breach to another application that had the same password, or if the employee had a weak password that was easily guessed,” said Elad Shapira, head of research at Panorays, said via email. “In all these cases, however, the breach might have been prevented with a strong password policy and employee security training.”
Shapira also said that the incident illustrates how large enterprises with strong security profiles can nonetheless be vulnerable to cyberattacks through their third-party suppliers.
“This cyber-incident underscores why it’s so important for companies to thoroughly assess their service providers’ cyber posture, and why that assessment must also take into account the human factor,” he noted. “Specifically, companies should be sure to check the likelihood of employees to be targeted for an attack based on factors like social media presence, employee security awareness and the presence of a dedicated security team.”Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.