A February breach at service provider Canon Business Process Services exposed the personal information of current and former GE employees and their beneficiaries.
“While I’m usually a bit numb to the latest data breach, the sheer variety of exposed information is unique,” said Roger Grimes, data driven defense evangelist at KnowBe4.
“GE and Canon haven’t disclosed how the breach occurred but what has been released seems to indicate that it likely was accomplished using a standard credential phishing attack or due to credential reuse on another site,” Grimes said.
Direct deposit forms, driver’s licenses, birth certificates, passports, marriage certificates, medical child support orders, tax withholding forms applications for benefits such as retirement or severance were among the documents tapped between February 3 to February 14 after “an unauthorized third party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries entitled to benefits that were maintained on Canon’s systems,” GE said in an alert.
The documents were uploaded by or for those affected and may have contained Social Security numbers, banks account numbers, birthdates, names, addresses and drivers’ licenses among other information contained in relevant forms.
The unique types of information potentially leaves the involved victims in a higher risk position than most stolen confidential information,” said Grimes.
Data in child support orders “could lead an attacker to create a spear phishing email crafted with those specific details, pretending to be someone official claiming some impending event needs action right now or some unwelcome especially stressful event could occur,” he said, while “knowledge of death certificates could help an attacker craft new synthetic identities based on details of that involved person to get new credit cards, loans, and other financial instruments.”