GE Announces Data Breach from Third-Party Service Provider

With news cycles currently dedicated to COVID-19 coverage, perhaps you missed that GE – the US-based multinational – recently disclosed that it had suffered a data breach that originated at one of its third-party service providers, Canon Business Process Services. In doing so, GE joins a host of global brands and household names such as Marriott, Quest Diagnostics, LabCorp, Sprint and Target, that have suffered breaches of this kind. Indeed, this breach is a prime case for ensuring greater controls over third parties.

Here’s a quick write-up on what we know about the breach, and how third-party risk management solutions such as Prevalent’s can help.

GE Breach Overview

According to GE, between February 3 - 14, 2020, an unauthorized party gained access to a Canon email account that contained sensitive information on current and former GE employees and their beneficiaries. GE partnered with Canon for document processing. The documents managed by the owner of the breached email account included personal information such as direct deposit forms, driver’s licenses, passports, birth certificates, and more – and likely also included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, and/or dates of birth.

Although we don’t know the vector of attack for certain – for example, it could have happened via a spear phishing or social engineer attack – we do know that continuously assessing and monitoring the controls of third parties helps to reduce the likelihood and impact of breaches such as this one.

How Third-Party Risk Management Can Help

During this current time of uncertainty, hackers are going to look to take advantage of distracted teams and drained resources. In a time where supply chain security is more critical than ever, we can no longer afford to treat it as compliance check box.

A mature third-party risk management program is agile and prepared for data breach incidents by:

• Assessing vendors against a host of security best practices frameworks, with clear scoring on weaknesses targeted for remediation
• Monitoring dark web hacker chatter forums for company mentions or stolen credentials
• Using real-time breach notification and intelligence from multiple sources to inform out-of-band assessments regarding critical cyber security practices (e.g., two-factor authentication, password rotation policies, and employee training and awareness programs)
• Leveraging pre-completed assessments to gain insights into whether vendors have had vulnerabilities like this one in the past, and what their remediation plans were
• Employing programmatic processes for breach detection, notification and escalation to the third-party in question

GE has said that they are taking appropriate measures to ensure security; that the incident did not directly impact GE systems; and that they were working with Canon to determine how the incident occurred. However, this presents little solace to the thousands of GE employees potentially impacted by this breach. Two years of free credit monitoring via Experian is only a band-aid.

Concerned about your own third-party risk practices? Take Prevalent’s online risk assessment and get a quick score and recommendations on what to address immediately.