Tech Giant GE Discloses Data Breach After Service Provider Hack
The recent data breach of a GE supply chain service provider resulted in the theft of PII for many of the company’s employees.
GE currently has customers in more than 180 countries and in employment of 280,000 employees according to the company’s 2018 annual report.
“The breach occurred at Canon Business Process Services (Canon), a GE service provider, where an email account of a single employee was breached, resulting in an unauthorized party gaining access to an email account that contained documents of certain GE employees, former employees, and beneficiaries entitled to benefits that were maintained on Canon’s systems”.
Also, GE stated that the sensitive personal information exposed during the incident was uploaded by or for current and former GE employees, as well as “beneficiaries entitled to benefits in connection with Canon’s workflow routing service.”
GE reported the incident to the Office of the California Attorney General and have notified the affected individuals according to data breach laws and the CCPA.
They said that GE’s IT systems were not affected by the Canon security breach and that it’s taking all the necessary measures to prevent a similar incident from happening in the future.
Supply chain cybersecurity risk
This attack highlights the issues of Supply Chain and Third-Party Provider attacks.
As companies seek to reduce costs and improve operational margins, they rely on suppliers of business services or providers of products to take advantage of the lower costs these partners incur to specialization and economies of scale.
These strategies are sound business practices in the growing trend toward collaborative eco-systems. In fact, it’s impossible for an organization the size of GE to operate without an efficient global supply chain spanning across tens of thousands of subcontractors and vendors.
The cybersecurity risks, companies face are the lack of control they have when it comes to protecting the data which they now share or have hosted by these suppliers – due to it not always being protected with the same level of security that the company itself, as a data owner, may impose on its own resources.
The inability to determine the financial impact of these types of breach attacks makes it very hard for cost-conscious outsource/third-party services or goods suppliers to assess the right sizing of risk and breach mitigation measures.
The attackers that are leveraging these third-party or supply chain attacks are often identified as Political Cyber Warriors, Financial Hackers, Disgruntled Employees, and Industrial Espionage Agents.
These actors have already done the math in terms of assessing the value of such purloined information in terms of financial value, and have sufficient resources behind them to invest in the attack methods that will enable these penetrations and exfiltration – and make a positive return on investment.
As the number of attacks and the size/prestige of victims of these breaches increases, companies must be much more diligent in coping with these risks.
What can you do?
When selecting third-party service providers or supplier partnerships, companies must perform reasonable due diligence to assure themselves and their stakeholders that the selection process does not just focus on cost.
The first step is for companies to assess the financial impact such a breach will have on their business in terms of reputation and survivability.
This can be accomplished by firstly quantifying the risk in monetary terms – A Cyber Risk Quantification exercise can put a financial impact number to each type of asset’s compromise.
Companies should perform this themselves or with the assistance of independent professionals. This should not be done by the out-source provider.
Secondly, each potential provider should demonstrate that they are adequate to data security and relevant privacy measures by performing a defensive maturity assessment – ensuring that all security measures are in place, current and fully configured.
There are several industry-specific standards such as ISO, NIST, and others that can provide standard yet independent expertise to conduct the assessments.
These assessments should be performed as necessary- Prospective clients/organizations should ask for and receive these security assessments during their selection or on-boarding process as well as on a periodic basis according to the risk exposure of the vendor.
Obviously, such operation of performing manual assessments on such a large scale isn’t practical, meaning an automated solution must be implemented to facilitate this process.
Cyber mitigation has become a fact of life and therefore, companies must make sure that they deal with it effectively. Out-sourcing services or products for resale in an eco-system can be extremely beneficial and enables organizations to move investment off-balance sheet and gain the benefits of markets in sourcing such services, yet they must act aggressively to ensure that their partners are delivering on protecting the company from risks.
A 3rd party assessment cannot and will not prevent a cyber incident, but will help organizations create a robust supply chain and to respond quickly and decidedly when an attack occurs – just like GE did.