[BreachExchange] Blundering Boeing bod blabbed spreadsheet of 36, 000 coworkers' personal details in email

[Audrey McNeil]

https://www.theregister.co.uk/2017/02/22/boeing_employee_
emails_personal_info_36000_colleagues/

Global aerospace firm Boeing earlier this month sent a notification to
Washington State Attorney General Bob Ferguson, as required by law, about a
company employee who mistakenly emailed a spreadsheet full of employee
personal data to his spouse in November, 2016.

The spreadsheet, sent to provide the employee's spouse with a formatting
template, contained the personal information of roughly 36,000 other Boeing
employees, including Social Security numbers and dates of birth, in hidden
columns. Some 7,288 of the affected employees resided in Washington State.

Had the company been using the data loss protection (DLP) software it
makes, Boeing might not now be in the position of offering two-year
subscriptions to Experian's identity theft protection service to tens of
thousands of employees.

Boeing sells a Windows-based DLP application called Cipher, through a
partnership with Talisen Technology. "Proprietary or classified information
can intentionally or accidentally be included in documents shared with
others," Boeing explains in the product literature. "Boeing programmers
have created a superior product that can be used to ensure that hidden
information is not inadvertently included in and transmitted with a file."

Reached by phone and sounding rather surprised that a reporter would call
her directly on the line included in the breach notification, Boeing's
deputy chief privacy officer Marie E Olson declined to answer whether the
company was using its data protection software in this instance. She
suggested taking the issue up with Boeing's corporate communications
department.

Not expecting much, The Register asked Boeing's communications department
whether the company ate its own security dog food. A company spokesperson
said in an email, "We have notified all affected parties about the
incident. We believe it is contained and the risk of harm is very low. I
don't have anything else to add."

The Register then reached out to Gregory L Smith, a Boeing technical fellow
and, as his LinkedIn profile says, "the innovator and developer behind the
Cipher software application." Smith explained in a brief phone interview
that Boeing has thousands of copies of the software, but that it only
mandates the product for classified work.

According to research conducted by IBM and the Ponemon Institute –
presumably to incentivize the sale of security software and services – the
average cost of a data breach reached $4 million in 2016 and the average
cost per record came to $158. For Boeing then, the cost of that spreadsheet
might be as high as $5.7 million.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170222/13eaddf2/attachment.html>