Fortune 500 technology giant General Electric (GE) disclosed that personally identifiable information of current and former GE employees, as well as beneficiaries, was exposed in a security incident experienced by one of its service providers. GE says in a notice of data breach filed with the Office of the California Attorney General that Canon Business Process Services (Canon), a GE service provider, had one of their employees’ email accounts breached by an unauthorized party in February.
Fortune 500 technology giant General Electric (GE) disclosed that personally identifiable information of current and former GE employees, as well as beneficiaries, was exposed in a securit… via @BleepinComputer #security #tech #MondayMotivation https://t.co/DShnNLprF9
— AJ Durling (@Gurgling_MrD) March 23, 2020
The General Electric data breach demonstrates that even if your organisation has good cybersecurity standards, partnering with other businesses brings with it additional cyber risks. The leaked information includes sensitive data such as direct deposit forms, drivers’ licenses, passports, birth, marriage and death certificates, potentially compromising names, addresses, bank account numbers and passport numbers. These could be used in identity fraud or targeting specific employees in phishing campaigns; common tactics used by cyber criminals.
As our world becomes more connected than ever, managing the security risk of your supply chain is becoming increasingly important for businesses. Ensuring companies you’re connected with apply the same standards of cyber best practice should be a key deciding factor when selecting a vendor or partner. Beyond this, it is important to have a layered approach to security, enabling malicious activity such as threats or data theft to be identified as early as possible to mitigate damage caused.
Our modern digital economy is fundamentally a supply chain where the organization we do business with is itself powered by countless other organisations. In this case, GE contracted with Canon Business Process Services as part of GEs benefits program. This relationship entitled Canon to access sensitive GE personnel records as part of its contract with GE. The breach occurred when an attacker gained access to the email address of a Canon employee working on the GE contract. This access allowed the attackers to access sensitive information for approximately ten days.
While the underlying root causes remain undisclosed, it’s my hope that Canon and GE will take this opportunity to detail the attack timeline and lessons they learn in their efforts to prevent future attacks. Such disclosures would place both GE and Canon in a leadership position in defending against future attacks and provide greater benefit to their customers than simply offering credit monitoring services. Businesses are under constant attack and when we shine a light on the attack methods and share information about methods that could detect attacks in progress earlier, we can begin to reduce the incidence of successful attacks.
It seems no matter how much Training and awareness that is provided, the human element remains the weakest link in the cybersecurity chain. The problem is not entirely the employees’ faults, as hackers and attackers are improving their tactics to trick employees into clicking on links infected with malware. A determined attacker may go as far as designing an email to look authentic and even read as if clicking on the link is the right thing to do. Unfortunately, in this case, hackers obtained the credentials for a corporate email. This means that they had access to everything that the employee did. Instances like this are easily avoided through good account hygiene, however they are extremely difficult to mitigate once it has occurred.
What is clear is that human activity in cyber-space is still susceptible to data breaches, leaks, or exposure. Therefore, companies need to take a more active approach to safeguard their businesses from cyber-attacks. AI can help determine if emails should be captured and quarantined before even getting to employees’ inboxes. De-identifying sensitive data can also ensure that the data a cyber attacker is usually after, has no exploitable value. Continued awareness training, education, and communication can help reduce the likelihood of humans clicking on malware-laced links, even though the possibility is highest among threat vectors.
\”It seems that no matter how much training and awareness is provided, the human element remains the weakest link in the cybersecurity chain. The problem is not entirely the employees’ faults, as hackers and attackers are improving their tactics to trick employees into clicking on links infected with malware. A determined attacker may go as far as designing an email to look authentic and even read as if clicking on the link is the right thing to do. Unfortunately, in this case, hackers obtained the credentials for a corporate email. This means that they had access to everything that the employee did. Instances like this are easily avoided through good account hygiene, however they are extremely difficult to mitigate once it has occurred.
What is clear is that human activity in cyber-space is still susceptible to data breaches, leaks, or exposure. Therefore, companies need to take a more active approach to safeguard their businesses from cyber-attacks. AI can help determine if emails should be captured and quarantined before even getting to employees’ inboxes. De-identifying sensitive data can also ensure that the data a cyber attacker is usually after, has no exploitable value. Continued awareness training, education, and communication can help reduce the likelihood of humans clicking on malware-laced links, even though the possibility is highest among threat vectors. \”
Interestingly in this case it was not GE, but one of their service providers Canon, that suffered the data breach resulting in GE employees’ personally identifiable information being disclosed.
According to Canon an unauthorised party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries. This highlights the fact that organisations are still too casual with sensitive data.
Organisations need to implement a security first culture, through processes which enforce the change of default passwords, blacklist commonly used passwords and implement Multi Factor Authentication (MFA).
Businesses that are using cloud storage should have access control programmes and processes in place that allow them to better manage every single identity that touches corporate data, protecting against threats and cloud malware in real-time. This will help them understand who is accessing sensitive data and reduce the risk of data breaches like this materialising.