BreachExchange mailing list archives
Tech Giant GE Discloses Data Breach After Service Provider Hack
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 25 Mar 2020 09:14:54 -0500
https://www.bleepingcomputer.com/news/security/tech-giant-ge-discloses-data-breach-after-service-provider-hack/ Fortune 500 technology giant General Electric (GE) disclosed that personally identifiable information of current and former employees, as well as beneficiaries, was exposed in a security incident experienced by one of GE's service providers. GE is a multinational operating in a wide range of tech segments including aviation, power, healthcare, and renewable energy, and it is currently ranked by Fortune 500 as the 21st-largest company in the U.S. by revenue. GE currently has customers in more than 180 countries and in excess of 280,000 employees according to the company's 2018 annual report. Employees and beneficiaries' PII exposed GE says in a notice of data breach filed with the Office of the California Attorney General that Canon Business Process Services (Canon), a GE service provider, had one of their employees' email accounts breached by an unauthorized party in February. "We were notified on February 28, 2020 that Canon had determined that, between approximately February 3 - 14, 2020, an unauthorized party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries entitled to benefits that were maintained on Canon’s systems," the notification says. GE also states that the sensitive personal information exposed during the incident was uploaded by or for current and former GE employees, as well as "beneficiaries entitled to benefits in connection with Canon’s workflow routing service." Among the information the attacker gained access to during the breach, GE mentions: [..] direct deposit forms, driver’s licenses, passports, birth certificates, marriage certificates, death certificates, medical child support orders, tax withholding forms, beneficiary designation forms and applications for benefits such as retirement, severance and death benefits with related forms and documents, may have included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and other information contained in the relevant forms. GE systems not breached According to the notice of data breach GE's systems were not affected by the Canon security breach and it's taking measures to prevent a similar incident from happening in the future. "Canon is offering identity protection and credit monitoring services to affected individuals for two years at no cost to you through a company called Experian," the notice also says. Affected individuals who receive the breach notification letters from GE have until June 30, 2020, to take advantage of these services. GE has also set up a support hotline at 1-800-432-3450 that affected individuals can call between 9 AM and 5 PM Eastern time, Monday through Friday. BleepingComputer has reached out to GE for more details but had not heard back at the time of this publication. ________________________________ Update March 23, 18:33 EDT: When asked about the estimated number of current and former GE employees affected by the breach, a GE spokesperson sent the following statement: We are aware of a data security incident experienced by one of GE’s suppliers, Canon Business Process Services, Inc. We understand certain personal information on Canon’s systems may have been accessed by an unauthorized individual. Protection of personal information is a top priority for GE, and we are taking steps to notify the affected employees and former employees. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Tech Giant GE Discloses Data Breach After Service Provider Hack Destry Winant (Mar 25)