Google experienced an insider data breach when a third-party vendor mistakenly sent a confidential document, which...
contained personal information for an unspecified number of Google employees such as Social Security numbers, to another company.
In a letter to affected employees, Google wrote that "a third-party vendor that provides Google with benefits management services mistakenly sent a document containing certain personal information of some of our [employees] to a benefits manager at another company. Promptly upon viewing the document, the benefits manager deleted it and notified Google's vendor of the issue. After the vendor informed us of the issue, we conducted an investigation to determine the facts."
Teri Wisness, director of U.S. benefits for Google, sent the letter detailing the incident and offering "identity protection and credit monitoring services" to employees affected by the insider data breach.
"We have no evidence that any of your information has been misused as a result of this incident, and computer access logs indicate that no other individuals viewed your information before it was deleted," Wisness wrote. "In addition, the benefits manager has confirmed that she did not save, download, disclose or otherwise use the information contained in the document."
Gord Boyce, CEO of file security firm FinalCode, said the damage from the insider data breach could have been much worse. "Google and its third-party benefits vendor are lucky that the recipient deleted the document and informed them of the mistake without incident," he said. "Not all companies and their customers will fare so well.
"With all of the layers of security available, organizations like the benefits vendor have no excuse when it comes to preventing data leakage of customer information or intellectual property," Boyce added. "Securing sensitive information at the file level is the best way to define individual access permission and ensures that you can maintain control over your data everywhere it travels, inside or outside the organization. This minor Google breach serves as a cautionary tale that sensitive information can be taken with malicious intent or, in this case, sent by accident. Once unencrypted data is out there, it's out there. Organizations should foresee this occurring and apply file security and policies beforehand."
FDIC reports five 'major' data leakage incidents
Meanwhile, the Federal Deposit Insurance Corp. (FDIC) notified Congress of five "major incidents" of insider data breaches that have occurred since Oct. 30, the Washington Post reported. In all cases, the data leakage occurred when employees leaving the agency mistakenly downloaded taxpayer information along with their personal data. All employees involved provided affidavits that they had not shared the data. The FDIC considered the incidents "low risk" and only reported them now because they had been resolved before the FDIC Office of Inspector General defined "major incident" as involving 10,000 or more records.
In other news
- The FBI encryption fight continues as FBI Director James Comey said he would continue to use litigation to attempt to gain access to locked or encrypted devices, Reuters reported. Calling encryption "essential tradecraft" for terrorist groups, Comey said FBI experts had examined about 4,000 devices since October but had been unable to access about 500 of those. Comey said he thought none of the locked devices could be unlocked with the tool the FBI purchased to gain access to the iPhone used by the San Bernardino shooter Syed Rizwan Farook. Comey also said the end-to-end encryption added to WhatsApp was affecting criminal investigations conducted by the FBI but that he had no plans to sue the company at this time.
- Florida security researcher David Levin was arrested months after he appeared in a YouTube video posted early this year demonstrating a "big gaping hole" in the security of the website and servers used by Florida's Lee County Supervisor of Elections. Levin described using a SQL injection attack to gain access to the servers and control of the website's content management system, where he discovered that passwords for the database were maintained in an unencrypted table. The video featured Dan Sinclair who is running for Supervisor of Elections in Lee County. Levin, owner of Vanguard CyberSecurity, based in Estero, Fla., was released on a $15,000 bond.
- Adobe announced availability of yet another patch for a critical vulnerability (CVE-2016-4117) in Adobe Flash Player, for versions earlier than 126.96.36.199 for Windows, Macintosh, Linux and Chrome OSes. According to the advisory: "Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system."
Additional reporting by Michael Heller.