Google employees’ personal details have been spilled by a vendor who handles the company’s benefits management.
Somebody working at the third-party vendor accidentally breached the employees’ information by sending an email with sensitive data to a benefits manager at another company.
On Monday, Google sent a data breach notice to an undisclosed number of employees. That letter was also posted to the Californian Attorney General’s website.
Google is still investigating. But as far as the company can see at this point, the breached information included the affected employees’ names and taxpayer ID numbers – their Social Security numbers (SSNs). Neither their benefits information nor details on dependents or family members were involved.
Google offered employees the standard data breach bill of fare: in this case, it’s 2 years worth of free identity protection and credit monitoring services. The company also told employees where they could access free credit reports, and it sent along a reference guide with more tips.
It sounds like Google’s lucking out on this one: A check on the computer access logs show that the benefits manager who received the mis-sent email was the only one who viewed the employees’ information.
She’s confirmed that she didn’t manhandle the radioactive stuff: she says she didn’t save it, download it, disclose it or use it in any other way.
Google says that beyond further investigation to “determine the facts,” it’s working with the third-party provider to “ensure that a similar incident doesn’t happen again.”
Heaven knows what training efforts or thumbscrews that might entail. But one thing’s for sure: stuff happens. Email gets bungled.
Organizations are of course vulnerable to their employees fumbling email.
But throw contractors and vendors in the mix, and security has the potential to get ever more sieve-like. It would be nice to think that outsourcing something like benefits administration would also entail outsourcing the angst over potential data loss, but that’s a pipe dream.
A while back, Naked Security ran a series on how to assess a third-party vendor’s security practices. Part 1 has tips that should help you gain a valuable insight into a vendor’s security practices, and part 2 takes a look at how to assess security functionality in vendors’ apps: namely, which features can help you configure a given solution in a secure manner.
Steve
Would be nice to know which third-party vendor that was.
Mahhn
This makes me think this was not news worthy – from Googles notice of Data Breach (as linked above) “We recently learned that a third-party vendor that provides Google with benefits management services mistakenly sent a document containing certain personal information of some of our Googlers to a benefits manager at another company.”
Nobody malicious was involved…
Paul Ducklin
The problem with data breaches like this is that Google trusted X with employees’ PII. X shared it with Y, who had no right to see it. That’s simply unacceptable. Doesn’t matter if the data was wrongly sent to Her Majesty the Queen. The whole idea of data protection is, well…
…data *protection*, not a conspicuous failure to protect it!
Rob
She said she didn’t do anything. Case closed. Oh, just one more thing. Why were they emailing sensitive info in a manner that allowed an unintended recipient to view it?
M Thibault
That’s the big question, and the whole reason this is at least newsworthy. It’s a good example of what *not* to do.
Sensitive data needs to be handled properly. And email *never* counts as properly.
Paul Ducklin
There’s also the issue that if X sends PII to Y that Y isn’t supposed to have…then X has needlessly put Y in a tricky position, even (perhaps especially) if Y then behaves in a perfectly upstanding fashion.
James
Google employees’ details breached
Sauce for the goose after what they do to Google users’ details.