Boeing breach: Employee leaks 36,000 colleagues’ personal data

A Boeing employee last year emailed a spreadsheet that contained sensitive information of 36,000 colleagues to his spouse.

The spreadsheet was sent to the employee’s spouse – who doesn’t work for Boeing – to help with a “formatting issue,” according to the aerospace firm. It contained employees’ full names, places of birth, employee IDs and, in hidden columns, Social Security numbers and dates of birth.

Boeing discovered the “inadvertent disclosure” in January and has now disclosed the breach to Washington State Attorney General Bob Ferguson, as required by law. Employees were informed of the breach a month later and they have been provided complimentary two-year subscriptions to Experian’s identity theft protection service.

Disclosure is law

Even though Boeing was confident that neither the employee nor his spouse distributed or used any of the information, it was still required to notify the government of the breach.

Washington is one of 47 states to have legislation requiring companies or government entities to disclose a breach of personally identifiably information. Under Washington law, companies are obligated to notify the attorney general’s office if the incident affects more than 500 of the state’s residents.

“Didn’t realize” there was sensitive information

According to Boeing’s deputy chief privacy officer, Marie E. Olson, the employee “didn’t realize there was sensitive information included in the spreadsheet because that information was contained in hidden folders.”

Spreadsheet software usually allows information to be kept hidden, usually to prevent that data from being seen, changed, or deleted.

Mitigate the risks with ISO 27001

Had the employee been aware of the presence of the hidden data, it would’ve largely defeated the purpose of it being hidden to begin with. To have prevented this cyber risk, Boeing should have made its staff aware that spreadsheets may contain sensitive information, whether or not it is visible. Moreover, the company should have classified the document and made sure that the employee followed the appropriate handling procedures for the classification.

Cyber risks, whether accidental or malicious, can be mitigated with an effective ISMS (information security management system). ISO 27001 is the international standard that describes best practice for an ISMS, and applies to people, processes, and technology.

For businesses looking to implement an ISO 27001-compliant ISMS, IT Governance provides a range of fixed-price packaged solutions to accommodate any sector, size, or location. Each provides a combination of products and services that can be accessed online and deployed anywhere in the world. Find out more about the ISO 27001 Packaged Solutions >>