Tech Giant GE Discloses Data Breach – Experts Reaction

Fortune 500 technology giant General Electric (GE) disclosed that personally identifiable information of current and former GE employees, as well as beneficiaries, was exposed in a security incident experienced by one of its service providers. GE says in a notice of data breach filed with the Office of the California Attorney General that Canon Business Process Services (Canon), a GE service provider, had one of their employees’ email accounts breached by an unauthorized party in February.

Experts Comments

March 24, 2020
Roger Grimes
Data-driven Defence Evangelist
KnowBe4
While I’m usually a bit numb to the latest data breach, the sheer variety of exposed information is unique. GE and Canon haven’t disclosed how the breach occurred but what has been released seems to indicate that it likely was accomplished using a standard credential phishing attack or due to credential reuse on another site. Either way, both are fairly common types of attacks and should be well covered by a good security awareness training campaign. The unique types of information.....Read More
While I’m usually a bit numb to the latest data breach, the sheer variety of exposed information is unique. GE and Canon haven’t disclosed how the breach occurred but what has been released seems to indicate that it likely was accomplished using a standard credential phishing attack or due to credential reuse on another site. Either way, both are fairly common types of attacks and should be well covered by a good security awareness training campaign. The unique types of information potentially leaves the involved victims in a higher risk position than most stolen confidential information. For example, knowledge of child support orders could lead an attacker to create a spear-phishing email crafted with those specific details, pretending to be someone official claiming some impending event needs action right now or some unwelcome, especially stressful event, could occur. “Do this or your kid goes to the other parent!”-type threat. Knowledge of death certificates could help an attacker craft new synthetic identities based on details of that involved person to get new credit cards, loans, and other financial instruments. Employees under severance deals could be phished by someone that is threatening the victim’s severance payout unless the victim opens such-and-such document, goes to a particular link, or performs a particular action. The documents involved contain details of people’s lives that are not always commonly known. A heartless phisher could use those private details to craft realistic-looking spear-phishing emails that any victim might fall for. Assuming all the documents were found in the compromised email account, it brings up the question of the long-term risk by allowing those types of confidential documents to remain attached to emails, which can be accessed much later because of a single email compromise. Those attachments were likely saved off into more secure, more protected systems that GE and Canon felt were sufficient to protect those very private documents. But did the copies remaining in email get deleted when no longer needed or is there even a system in email to better protect those documents in the long-term, for as long as they are in email? There are email protection systems that do better to protect emails and attachments and can actually protect that information from easy unauthorized third party copying, but most of us don’t use them. I don’t necessarily see GE and Canon as the outliers. This is a problem for most companies. I’ve read of email hackers spending days going through a victim’s email inbox, custom folders, and also their deleted (but not emptied) folder and sent items folder, looking for the juiciest finds. That’s what sounds like happened here. A ton of business is conducted using email. Most of us take email systems and the security they do or don’t provide for granted. One policy recommendation might be for the email containing any sensitive attachments to be permanently deleted once the document is saved into another system, but that’s hard to do without also deleting the text of the email and the record that the document was received. All together this incident brings up the need for all of us to look at our own email security and the long-term handling of the sensitive documents it can contain.  Read Less
March 27, 2020
Stuart Reed
UK Director
Orange Cyberdefense
The General Electric data breach demonstrates that even if your organisation has good cybersecurity standards, partnering with other businesses brings with it additional cyber risks. The leaked information includes sensitive data such as direct deposit forms, drivers’ licenses, passports, birth, marriage and death certificates, potentially compromising names, addresses, bank account numbers and passport numbers. These could be used in identity fraud or targeting specific employees in phishing .....Read More
The General Electric data breach demonstrates that even if your organisation has good cybersecurity standards, partnering with other businesses brings with it additional cyber risks. The leaked information includes sensitive data such as direct deposit forms, drivers’ licenses, passports, birth, marriage and death certificates, potentially compromising names, addresses, bank account numbers and passport numbers. These could be used in identity fraud or targeting specific employees in phishing campaigns; common tactics used by cyber criminals. As our world becomes more connected than ever, managing the security risk of your supply chain is becoming increasingly important for businesses. Ensuring companies you’re connected with apply the same standards of cyber best practice should be a key deciding factor when selecting a vendor or partner. Beyond this, it is important to have a layered approach to security, enabling malicious activity such as threats or data theft to be identified as early as possible to mitigate damage caused.  Read Less
March 25, 2020
Tim Mackey
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Synopsys
Our modern digital economy is fundamentally a supply chain where the organization we do business with is itself powered by countless other organisations. In this case, GE contracted with Canon Business Process Services as part of GEs benefits program. This relationship entitled Canon to access sensitive GE personnel records as part of its contract with GE. The breach occurred when an attacker gained access to the email address of a Canon employee working on the GE contract. This access allowed.....Read More
Our modern digital economy is fundamentally a supply chain where the organization we do business with is itself powered by countless other organisations. In this case, GE contracted with Canon Business Process Services as part of GEs benefits program. This relationship entitled Canon to access sensitive GE personnel records as part of its contract with GE. The breach occurred when an attacker gained access to the email address of a Canon employee working on the GE contract. This access allowed the attackers to access sensitive information for approximately ten days. While the underlying root causes remain undisclosed, it’s my hope that Canon and GE will take this opportunity to detail the attack timeline and lessons they learn in their efforts to prevent future attacks. Such disclosures would place both GE and Canon in a leadership position in defending against future attacks and provide greater benefit to their customers than simply offering credit monitoring services. Businesses are under constant attack and when we shine a light on the attack methods and share information about methods that could detect attacks in progress earlier, we can begin to reduce the incidence of successful attacks.  Read Less
March 25, 2020
Jonathan Deveaux
Head of Enterprise Data Protection
comforte AG
It seems no matter how much Training and awareness that is provided, the human element remains the weakest link in the cybersecurity chain. The problem is not entirely the employees’ faults, as hackers and attackers are improving their tactics to trick employees into clicking on links infected with malware. A determined attacker may go as far as designing an email to look authentic and even read as if clicking on the link is the right thing to do. Unfortunately, in this case, hackers obtained .....Read More
It seems no matter how much Training and awareness that is provided, the human element remains the weakest link in the cybersecurity chain. The problem is not entirely the employees’ faults, as hackers and attackers are improving their tactics to trick employees into clicking on links infected with malware. A determined attacker may go as far as designing an email to look authentic and even read as if clicking on the link is the right thing to do. Unfortunately, in this case, hackers obtained the credentials for a corporate email. This means that they had access to everything that the employee did. Instances like this are easily avoided through good account hygiene, however they are extremely difficult to mitigate once it has occurred. What is clear is that human activity in cyber-space is still susceptible to data breaches, leaks, or exposure. Therefore, companies need to take a more active approach to safeguard their businesses from cyber-attacks. AI can help determine if emails should be captured and quarantined before even getting to employees’ inboxes. De-identifying sensitive data can also ensure that the data a cyber attacker is usually after, has no exploitable value. Continued awareness training, education, and communication can help reduce the likelihood of humans clicking on malware-laced links, even though the possibility is highest among threat vectors.  Read Less
March 25, 2020
Jonathan Deveaux
Head of Enterprise Data Protection
comforte AG
"It seems that no matter how much training and awareness is provided, the human element remains the weakest link in the cybersecurity chain. The problem is not entirely the employees’ faults, as hackers and attackers are improving their tactics to trick employees into clicking on links infected with malware. A determined attacker may go as far as designing an email to look authentic and even read as if clicking on the link is the right thing to do. Unfortunately, in this case, hackers.....Read More
"It seems that no matter how much training and awareness is provided, the human element remains the weakest link in the cybersecurity chain. The problem is not entirely the employees’ faults, as hackers and attackers are improving their tactics to trick employees into clicking on links infected with malware. A determined attacker may go as far as designing an email to look authentic and even read as if clicking on the link is the right thing to do. Unfortunately, in this case, hackers obtained the credentials for a corporate email. This means that they had access to everything that the employee did. Instances like this are easily avoided through good account hygiene, however they are extremely difficult to mitigate once it has occurred. What is clear is that human activity in cyber-space is still susceptible to data breaches, leaks, or exposure. Therefore, companies need to take a more active approach to safeguard their businesses from cyber-attacks. AI can help determine if emails should be captured and quarantined before even getting to employees’ inboxes. De-identifying sensitive data can also ensure that the data a cyber attacker is usually after, has no exploitable value. Continued awareness training, education, and communication can help reduce the likelihood of humans clicking on malware-laced links, even though the possibility is highest among threat vectors. "  Read Less
March 25, 2020
Niamh Muldoon
Senior Director of Trust and Security EMEA
OneLogin
Interestingly in this case it was not GE, but one of their service providers Canon, that suffered the data breach resulting in GE employees’ personally identifiable information being disclosed. According to Canon an unauthorised party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries. This highlights the fact that organisations are still too casual with sensitive data. Organisations need to implement a security first.....Read More
Interestingly in this case it was not GE, but one of their service providers Canon, that suffered the data breach resulting in GE employees’ personally identifiable information being disclosed. According to Canon an unauthorised party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries. This highlights the fact that organisations are still too casual with sensitive data. Organisations need to implement a security first culture, through processes which enforce the change of default passwords, blacklist commonly used passwords and implement Multi Factor Authentication (MFA). Businesses that are using cloud storage should have access control programmes and processes in place that allow them to better manage every single identity that touches corporate data, protecting against threats and cloud malware in real-time. This will help them understand who is accessing sensitive data and reduce the risk of data breaches like this materialising.  Read Less
March 25, 2020
Elad Shapira
Head of Research
Panorays
GE’s recent data breach through its service provider, Canon Business Process Services, illustrates how large enterprises can be vulnerable to cyberattacks through their third-parties. In this case, the sensitive data of GE employees, former employees and beneficiaries was exposed through a breached Canon employee email account. This could have occurred either through malware on the employee’s computer, through a breach to another application that had the same password, or if the employee.....Read More
GE’s recent data breach through its service provider, Canon Business Process Services, illustrates how large enterprises can be vulnerable to cyberattacks through their third-parties. In this case, the sensitive data of GE employees, former employees and beneficiaries was exposed through a breached Canon employee email account. This could have occurred either through malware on the employee’s computer, through a breach to another application that had the same password, or if the employee had a weak password that was easily guessed. In all these cases, however, the breach might have been prevented with a strong password policy and employee security training. This cyber incident underscores why it’s so important for companies to thoroughly assess their service providers’ cyber posture, and why that assessment must also take into account the human factor. Specifically, companies should be sure to check the likelihood of employees to be targeted for an attack based on factors like social media presence, employee security awareness and the presence of a dedicated security team.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.