GE disclosed that personal information for a number of current and former employees was exposed in a security breach that took place between February 3-14 at Canon Business Process Services, one of its service providers. While the breach did not occur in GE’s systems, according to the legal filing, the case highlights a common supply chain risk: cyber governance extends beyond company networks and includes regimes of counterparties.
Personal identification information for an undisclosed number of current and former GE employees and their beneficiaries, including passports, driver’s licenses, birth certificates, bank account numbers and direct deposit forms, social security numbers, and DoB were reportedly included in the data theft. While GE promptly reported this incident to the California Attorney General’s office, and while data loss incidents such as this one are less costly to companies than ransomware breaches that disrupt company operations, the case still highlights the need for companies to implement rigorous cybersecurity regimes that take into account the cyber governance of their counterparties.
Suppliers or customers that have access to company IP or offer a potential back door into company IT systems must also be accounted for as part of a more robust approach to cyber governance. Events in the past year impacting some of the world’s largest managed service providers like WiPro and the theft of sensitive documents stolen from many major automobile companies (Tesla, VW, Toyota, Ford, Chrysler, GM) via a third-party robotics vendor in 2018 demonstrate that growing digital interconnectedness is making it increasingly difficult to distinguish a corporate network’s threat surface from that of a supplier, partner, or customer.
This hits at what Cyberhedge calls the third-party paradox—the corporate drive for greater efficiency and cost savings has created additional cyber-related supply chain vulnerabilities most companies haven’t considered when making strategy decisions about outsourcing.