[German]The US giant General Electric (GE) has now confirmed a data protection incident in which personal data of former and current employees of a service provider got into the hands of unauthorized persons.
Who is General Electric (GE)?
General Electric GE is a multinational corporation active in a variety of technology segments including aerospace, energy, healthcare and renewable energy, and is currently ranked by Fortune 500 as the 21st largest company in the United States by revenue. The company has customers in more than 180 countries and more than 280,000 employees, according to the company's 2018 annual report.
Data privacy incident at a service provider
In a (deleted) (PDF) General Electric (GE) has disclosed a data protection incident in the USA. At Canon Business Process Services (Canon), a GE service provider, one of its employees' email accounts was compromised by an unauthorized party in February 2020. The GE notification states
We were notified on February 28, 2020 that Canon had determined that, between approximately February 3 – 14, 2020, an unauthorized party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries entitled to benefits that were maintained on Canon's systems.
Between February 3 and 14, 2020, an unauthorised third party had access to the e-mail account in question. This account contained documents containing personal information of certain GE employees, former employees and beneficiaries entitled to benefits on Canon's systems. The personal information disclosed in the data protection incident is already very sensitive:
- Direct Payment Forms,
- Driver's licenses, passports, birth, marriage and death certificates,
- medical maintenance instructions for children,
- Forms for the withholding of taxes,
- forms for the designation of beneficiaries and
- forms for benefits such as retirement pension, severance pay and death grants
The associated forms and documents may have included names, addresses, social security numbers, driver's license numbers, bank accounts, passport numbers, dates of birth and other information. General Electric was notified of this privacy incident at Canon Business Process Services (Canon) on February 28, 2020 and filed a notice with the California Attorney General.
It is unclear whether General Electric employees outside the USA are also affected. According to the notification, General Electric systems are not affected. Persons affected have probably already been informed by the company. The service provider Canon is offering the affected persons identity protection and credit monitoring free of charge for two years through a company called Experian. Further information can be found at Bleeping Computer and in the (deleted). This is not the first data leak, by the way. In the summer of 2019, Bob Diachenko discovered sensitive documents on an unsecured Jenkins server of GE's Aviation Division.