Cyber Incident Victim: Canon Business Process Services

The incident involving Canon Business Process Services began on or around February 3, 2020, when an unauthorized party gained access to an employee email account maintained by Canon. This breach persisted until approximately February 14, 2020, exposing documents containing sensitive personal information of General Electric (GE) employees, former employees, and beneficiaries. Canon, a service provider for GE, discovered the intrusion and notified GE of the security incident on February 28, 2020. The compromised email account contained workflow routing service documents that had been uploaded by or for GE-affiliated individuals, including direct deposit forms, identification documents, tax records, and benefits applications. Specific exposed data elements included full names, addresses, Social Security numbers, driver's license numbers, passport numbers, bank account details, dates of birth, and information contained in marriage certificates, death certificates, medical support orders, and benefits documentation.

GE confirmed its internal systems were not compromised during the breach, as the incident was isolated to Canon's infrastructure. In response, GE issued formal breach notifications through the Office of the California Attorney General and established a dedicated support hotline operating during Eastern Time business hours. Canon arranged two years of complimentary identity protection and credit monitoring services through Experian for affected individuals, with an enrollment deadline of June 30, 2020. GE publicly characterized the protection of personal information as a top priority but declined to disclose the exact number of impacted individuals when queried by media. The company stated it was implementing measures to prevent recurrence of similar incidents through its service providers, though no technical details about containment procedures or forensic findings were disclosed in available documentation.