[BreachExchange] Tech Giant GE Discloses Data Breach After Service Provider Hack

Destry Winant destry at riskbasedsecurity.com
Wed Mar 25 10:14:54 EDT 2020


https://www.bleepingcomputer.com/news/security/tech-giant-ge-discloses-data-breach-after-service-provider-hack/


Fortune 500 technology giant General Electric (GE) disclosed that
personally identifiable information of current and former employees,
as well as beneficiaries, was exposed in a security incident
experienced by one of GE's service providers.

GE is a multinational operating in a wide range of tech segments
including aviation, power, healthcare, and renewable energy, and it is
currently ranked by Fortune 500 as the 21st-largest company in the
U.S. by revenue.

GE currently has customers in more than 180 countries and in excess of
280,000 employees according to the company's 2018 annual report.


Employees and beneficiaries' PII exposed

GE says in a notice of data breach filed with the Office of the
California Attorney General that Canon Business Process Services
(Canon), a GE service provider, had one of their employees' email
accounts breached by an unauthorized party in February.

"We were notified on February 28, 2020 that Canon had determined that,
between approximately February 3 - 14, 2020, an unauthorized party
gained access to an email account that contained documents of certain
GE employees, former employees and beneficiaries entitled to benefits
that were maintained on Canon’s systems," the notification says.

GE also states that the sensitive personal information exposed during
the incident was uploaded by or for current and former GE employees,
as well as "beneficiaries entitled to benefits in connection with
Canon’s workflow routing service."

Among the information the attacker gained access to during the breach,
GE mentions:

[..] direct deposit forms, driver’s licenses, passports, birth
certificates, marriage certificates, death certificates, medical child
support orders, tax withholding forms, beneficiary designation forms
and applications for benefits such as retirement, severance and death
benefits with related forms and documents, may have included names,
addresses, Social Security numbers, driver’s license numbers, bank
account numbers, passport numbers, dates of birth, and other
information contained in the relevant forms.

GE systems not breached

According to the notice of data breach GE's systems were not affected
by the Canon security breach and it's taking measures to prevent a
similar incident from happening in the future.

"Canon is offering identity protection and credit monitoring services
to affected individuals for two years at no cost to you through a
company called Experian," the notice also says.

Affected individuals who receive the breach notification letters from
GE have until June 30, 2020, to take advantage of these services.

GE has also set up a support hotline at 1-800-432-3450 that affected
individuals can call between 9 AM and 5 PM Eastern time, Monday
through Friday.

BleepingComputer has reached out to GE for more details but had not
heard back at the time of this publication.

________________________________

Update March 23, 18:33 EDT: When asked about the estimated number of
current and former GE employees affected by the breach, a GE
spokesperson sent the following statement:

We are aware of a data security incident experienced by one of GE’s
suppliers, Canon Business Process Services, Inc. We understand certain
personal information on Canon’s systems may have been accessed by an
unauthorized individual. Protection of personal information is a top
priority for GE, and we are taking steps to notify the affected
employees and former employees.


More information about the BreachExchange mailing list