Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Google Employee Data Exposed by Third-Party Vendor

The details of an unspecified number of Google employees were exposed recently by one of the search giant’s third-party vendors.

The details of an unspecified number of Google employees were exposed recently by one of the search giant’s third-party vendors.

A letter submitted by Google to the California Office of the Attorney General revealed that a benefits management services provider mistakenly sent a document containing the personal details of some Googlers to a benefits manager at another firm. The exposed details included names and social security numbers, information that can be highly valuable to fraudsters.

Google learned of the breach after its third-party vendor was notified by the benefits manager who received the employee information. The company launched an investigation to determine the extent of the incident.

“We have no evidence that any of your information has been misused as a result of this incident, and computer access logs indicate that no other individuals viewed your information before it was deleted. In addition, the benefits manager has confirmed that she did not save, download, disclose or otherwise use the information contained in the document,” Teri Wisness, director of U.S. Benefits at Google, wrote in a letter dated May 9.

Despite no evidence of misuse, Google is offering affected employees 24 months of free identity protection and credit monitoring services. The company says it’s working with the vendor in question to ensure that this type of incidents are avoided in the future.

Gary Roboff, a senior advisor at the Santa Fe Group, believes that the third-party vendor likely sent an email to the wrong address.

“The email recipient did what the email rider likely requested, that is, if the email was received in error the receiver was likely asked to notify the sender and delete the email. The recipient notified the sender of the address error and notified the sender that the email containing PII was deleted,” Roboff told SecurityWeek via email.

The expert noted that incidents caused by human error, such as this one, can only be mitigated through training.

“Human error happens, and we’re very unlikely to find a way to stop it. Individuals who are trained about what do when this type of error occurs have the capability to limit or even eliminate any consequences to those whose PII was compromised, and that’s exactly what appears to have happened in this case. Training works!” Roboff said.

On the other hand, Gord Boyce, CEO of file security firm FinalCode, pointed out that technical solutions also exist.

“With all of the layers of security available, organizations like the benefits vendor have no excuse when it comes to preventing data leakage of customer information or intellectual property. Securing sensitive information at the file level is the best way to define individual access permission and ensures that you can maintain control over your data everywhere it travels, inside or outside the organization,” Boyce told SecurityWeek. This minor Google breach serves as a cautionary tale that sensitive information can be taken with malicious intent—or in this case—sent by accident. Once unencrypted data is out there, it’s out there. Organizations should foresee this occurring and apply file security and policies beforehand.”

*Updated with commentary from Gord Boyce

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.