General Electric Employees Breached via Supply Chain

General Electric (GE) has reported a breach of employee data which occurred via a third-party service provider.

The US corporate giant claimed in the filing with the Californian Office of the Attorney General (OAG) that it was notified about the incident on February 28 by Canon Business Process Services.

“Canon had determined that, between approximately February 3 - 14, 2020, an unauthorized party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries entitled to benefits that were maintained on Canon’s systems,” it said.

“Canon has indicated that the affected documents, which contained certain personal information, were uploaded by or for GE employees, former employees and beneficiaries entitled to benefits in connection with Canon’s workflow routing service.”

Documents including direct deposit forms, driver’s licenses, passports, birth, marriage and death certificates, and benefits application forms were exposed, potentially compromising names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and more.

GE was at pains to point out that its own systems were not affected and said it’s both trying to work out how the unauthorized party gained access to the personal data, and is taking steps to ensure the same thing doesn’t happen again.

Canon is offering a free two-year membership of Experian IdentityWorks Credit 3B product to help those affected detect misuse of their personal information, which they must enrol in by the end of June.

This isn’t the first time GE has suffered a cybersecurity incident, albeit via its supply chain. A year ago the Department of Justice unsealed a complaint against a former GE engineer, Xiaoqing Zheng, which it accused of conspiring with Chinese government-funded companies to steal IP related to the firm’s gas and steam turbine technology.

What’s Hot on Infosecurity Magazine?