With news cycles currently dedicated to COVID-19 coverage, perhaps you missed that GE – the US-based multinational – recently disclosed that it had suffered a data breach that originated at one of its third-party service providers, Canon Business Process Services. In doing so, GE joins a host of global brands and household names such as Marriott, Quest Diagnostics, LabCorp, Sprint and Target, that have suffered breaches of this kind. Indeed, this breach is a prime case for ensuring greater controls over third parties.
Here’s a quick write-up on what we know about the breach, and how third-party risk management solutions such as Prevalent’s can help.
According to GE, between February 3 - 14, 2020, an unauthorized party gained access to a Canon email account that contained sensitive information on current and former GE employees and their beneficiaries. GE partnered with Canon for document processing. The documents managed by the owner of the breached email account included personal information such as direct deposit forms, driver’s licenses, passports, birth certificates, and more – and likely also included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, and/or dates of birth.
Although we don’t know the vector of attack for certain – for example, it could have happened via a spear phishing or social engineer attack – we do know that continuously assessing and monitoring the controls of third parties helps to reduce the likelihood and impact of breaches such as this one.
During this current time of uncertainty, hackers are going to look to take advantage of distracted teams and drained resources. In a time where supply chain security is more critical than ever, we can no longer afford to treat it as compliance check box.
A mature third-party risk management program is agile and prepared for data breach incidents by:
GE has said that they are taking appropriate measures to ensure security; that the incident did not directly impact GE systems; and that they were working with Canon to determine how the incident occurred. However, this presents little solace to the thousands of GE employees potentially impacted by this breach. Two years of free credit monitoring via Experian is only a band-aid.
Concerned about your own third-party risk practices? Take Prevalent’s online risk assessment and get a quick score and recommendations on what to address immediately.