A February breach at service provider Canon
Business Process Services exposed the personal information of current and
former GE employees and their beneficiaries.
“While I’m usually a bit numb to the
latest data breach, the sheer variety of exposed information is unique,” said
Roger Grimes, data driven defense evangelist at KnowBe4.
“GE and
Canon haven’t disclosed how the breach occurred but what has been released
seems to indicate that it likely was accomplished using a standard credential
phishing attack or due to credential reuse on another site,” Grimes said.
.
Direct
deposit forms, driver’s licenses, birth certificates, passports, marriage certificates,
medical child support orders, tax withholding forms applications for benefits
such as retirement or severance were among the documents tapped between February
3 to February 14 after “an unauthorized third party gained access to an email account
that contained documents of certain GE employees, former employees and beneficiaries
entitled to benefits that were maintained on Canon’s systems,” GE said in an
alert.
The documents
were uploaded by or for those affected and may have contained Social Security
numbers, banks account numbers, birthdates, names, addresses and drivers’
licenses among other information contained in relevant forms.
The unique types of information potentially
leaves the involved victims in a higher risk position than most stolen
confidential information,” said Grimes.
Data in child support orders “could lead
an attacker to create a spear phishing email crafted with those specific
details, pretending to be someone official claiming some impending event needs
action right now or some unwelcome especially stressful event could occur,” he
said, while “knowledge of death certificates could help an attacker craft new
synthetic identities based on details of that involved person to get new credit
cards, loans, and other financial instruments.”
