Google Employee Data Exposed by Third-Party Vendor

The details of an unspecified number of Google employees were exposed recently by one of the search giant’s third-party vendors.

A letter submitted by Google to the California Office of the Attorney General revealed that a benefits management services provider mistakenly sent a document containing the personal details of some Googlers to a benefits manager at another firm. The exposed details included names and social security numbers, information that can be highly valuable to fraudsters.

Google learned of the breach after its third-party vendor was notified by the benefits manager who received the employee information. The company launched an investigation to determine the extent of the incident.

“We have no evidence that any of your information has been misused as a result of this incident, and computer access logs indicate that no other individuals viewed your information before it was deleted. In addition, the benefits manager has confirmed that she did not save, download, disclose or otherwise use the information contained in the document,” Teri Wisness, director of U.S. Benefits at Google, wrote in a letter dated May 9.

Despite no evidence of misuse, Google is offering affected employees 24 months of free identity protection and credit monitoring services. The company says it’s working with the vendor in question to ensure that this type of incidents are avoided in the future.

Gary Roboff, a senior advisor at the Santa Fe Group, believes that the third-party vendor likely sent an email to the wrong address.

“The email recipient did what the email rider likely requested, that is, if the email was received in error the receiver was likely asked to notify the sender and delete the email. The recipient notified the sender of the address error and notified the sender that the email containing PII was deleted,” Roboff told SecurityWeek via email.

The expert noted that incidents caused by human error, such as this one, can only be mitigated through training.

“Human error happens, and we’re very unlikely to find a way to stop it. Individuals who are trained about what do when this type of error occurs have the capability to limit or even eliminate any consequences to those whose PII was compromised, and that’s exactly what appears to have happened in this case. Training works!” Roboff said.

On the other hand, Gord Boyce, CEO of file security firm FinalCode, pointed out that technical solutions also exist.

“With all of the layers of security available, organizations like the benefits vendor have no excuse when it comes to preventing data leakage of customer information or intellectual property. Securing sensitive information at the file level is the best way to define individual access permission and ensures that you can maintain control over your data everywhere it travels, inside or outside the organization,” Boyce told SecurityWeek. This minor Google breach serves as a cautionary tale that sensitive information can be taken with malicious intent—or in this case—sent by accident. Once unencrypted data is out there, it’s out there. Organizations should foresee this occurring and apply file security and policies beforehand.”

*Updated with commentary from Gord Boyce