Cyber Incident Victim: General Electric
Date:
Feb 2020
Location:
United States of America
Summary
A cybersecurity incident impacting General Electric (GE) occurred when unauthorized actors accessed an email account at service provider Canon Business Process Services, compromising sensitive personal information of current and former employees and beneficiaries. Exposed data included names, Social Security numbers, bank account details, passport information, dates of birth, and documents such as tax forms, birth certificates, and benefit applications. The breach did not affect the company's internal systems. Canon provided affected individuals with two years of identity protection and credit monitoring services through Experian, alongside a dedicated support hotline for assistance. GE emphasized the priority of protecting personal information and notified impacted parties.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In February 2020, General Electric (GE) experienced a data breach involving unauthorized access to sensitive employee information through a third-party service provider. The incident occurred between February 3 and February 14, 2020, when an attacker compromised an email account belonging to Canon Business Process Services, a vendor handling GE's document workflow services. GE was notified of the breach by Canon on February 28, 2020. The compromised email account contained documents belonging to current and former GE employees as well as beneficiaries entitled to company benefits. Exposed information included highly sensitive personal data extracted from direct deposit forms, tax documents, identification records, and benefits applications. Specific data elements compromised consisted of names, addresses, Social Security numbers, driver's license numbers, passport numbers, bank account details, dates of birth, and medical support orders. The breach affected individuals across GE's global workforce, though the company did not disclose the exact number of impacted persons in its public statements. GE emphasized that its own internal systems remained secure throughout the incident, confirming the breach was isolated to Canon's infrastructure.
Upon discovery, GE implemented notification procedures and mitigation measures in coordination with Canon. The company filed a formal data breach notice with the California Attorney General's Office and began directly notifying affected individuals. Canon offered two years of complimentary identity protection and credit monitoring services through Experian, with enrollment available until June 30, 2020. GE established a dedicated support hotline operating during Eastern Time business hours to address victim concerns. While no evidence of data misuse was reported at the time of disclosure, the exposure created significant risks for identity theft and financial fraud given the breadth of sensitive information involved. The breach impacted multiple categories of personal documentation including marriage certificates, death certificates, retirement applications, and severance benefit forms. GE characterized personal information protection as a top priority in its official statement but provided no specific details about security improvements implemented with Canon following the incident. The company's response focused on victim support rather than technical details of the breach mechanism or attacker attribution.