News highlights:
- General Electric suffered a data breach as one its third party service provider ق€˜Canonق€™ was cyberattacked
- Personal information of GE staff and has been accessed by an unauthorised party
- The point of breach was a Canon employeeق€™s email account
- Details like names, addresses, passport numbers, social security numbers, bank account numbers and several certificates and documents leaked
- GE employees, ex-employees and beneficiaries at risk of phishing or scamming
If you thought Fortune 500 companies donق€™t have to deal with cyberattacks, think again.
The behemoth corporations of the world, especially those that have a lot riding and millions counting on them, are actually the ones that have to take immaculate care when it comes to maintaining a good cybersecurity posture.
As their size of business and scale of operations expand, so does their need for good cybersecurity.
General Electric and Canon
General Electric recently reported that one of their third party service providers, Canon Business Process Services , Inc. has suffered a cyberattack which has extended in a data breach for the multinational conglomerate itself.
Although the General Electric needs no introduction but you should know that the global giant functions in many segments, from aviation, power and healthcare to energy, finance and lighting.
Even a single and small data breach can put a significant dent in the company of such a vast portfolio.
Canon provides companies with record and information management, document imaging, print, mail services, BPO and legal solutions.
GE relies on Canon to outsource its document process management related to the HR department.
Now you can easily imagine how much access Canonق€™s employees have over GE data and documents.
It is in such cases that employee training in cybersecurity plays a life-saving role for service providers in order to make sure that their clientsق€™ data is protected at all costs.
How did General Electric suffer a data breach?
On February 28 this year, Canon Business Process Services, Inc. informed GE that between February 3 to February 14, an unauthorized party accessed a Canonق€™s employeeق€™s email account which contained confidential documents related to some GE employees, former employees, and beneficiaries entitled to benefits.
By default, the breach of account of Canonق€™s employees extended to the breach of data of GEق€™s employees in this case.
The origin of the cyberattack is unclear as of now, but it is speculated that it could have been the work of a malware on the employeeق€™s computer, or the negligence in keeping a strong and unique password.
Lack of proper staff training in cybersecurity measures and protocols is absolutely vital for agencies like Canon who handle sensitive data of global giants.
The bigger the client, the higher the motivation of hackers to break into the systems.
What information was leaked?
A large amount of Personally Identifiable Information was leaked during this cyberattack. It includes:
- Direct deposit forms
- Driverق€™s license numbers
- Passport numbers
- Birth certificates
- Marriage certificates
- Death certificates
- Names
- Addresses
- Social Security numbers
- Bank account numbers
- Medical child support orders
- Tax withholding forms
- Beneficiary designation forms
- Applications for benefits such as retirement, severance and death benefits
What are the dangers posed by this data breach?
Even though the information did not contain any financially sensitive information like PINs, passwords and CVVs, it could still lead to cyberattacks and other threats for those who have been exposed. Threats include:
1. A specially crafted and highly convincing phishing email to target a particular at-risk GE employee
2. Sale of stolen data on dark web platforms
3. Use of financial and personally identifiable information (PII) to harass or target the victims
4. Using spear phishing to target a GE employeeق€™s email account or computer and compromising more of GEق€™s sensitive data
What is GE and Canon doing to protect the affected?
GE says that it is working with Canon to identify all those who are affected by this breach while Canon has contained and fixed the issue on its end.
A forensic investigation has been started to look into the matter.
GE has clearly stated that the GE systems and the data stored on them have not been affected at all.
As a relief measure, ق€œCanon is offering identity protection and credit monitoring services to affected individuals for two years at no cost through a company called Experianق€ , said GE in its notice .
What do you think of this news? Do you think employee training in cybersecurity could have prevented this attack and subsequent data breach?
Let us know your thoughts in the comments below. If you are a company, you can ask your staff to practice basic cybersecurity hygiene .
You can also contact us for online instructor-led training for your staff. Keep an eye out on our news blog for more cybersecurity updates.
Stay tuned, stay safe.