Google employees’ details breached in vendor’s email bungle

Google employees’ personal details have been spilled by a vendor who handles the company’s benefits management.

Somebody working at the third-party vendor accidentally breached the employees’ information by sending an email with sensitive data to a benefits manager at another company.

On Monday, Google sent a data breach notice to an undisclosed number of employees. That letter was also posted to the Californian Attorney General’s website.

Google is still investigating. But as far as the company can see at this point, the breached information included the affected employees’ names and taxpayer ID numbers – their Social Security numbers (SSNs). Neither their benefits information nor details on dependents or family members were involved.

Google offered employees the standard data breach bill of fare: in this case, it’s 2 years worth of free identity protection and credit monitoring services. The company also told employees where they could access free credit reports, and it sent along a reference guide with more tips.

It sounds like Google’s lucking out on this one: A check on the computer access logs show that the benefits manager who received the mis-sent email was the only one who viewed the employees’ information.

She’s confirmed that she didn’t manhandle the radioactive stuff: she says she didn’t save it, download it, disclose it or use it in any other way.

Google says that beyond further investigation to “determine the facts,” it’s working with the third-party provider to “ensure that a similar incident doesn’t happen again.”

Heaven knows what training efforts or thumbscrews that might entail. But one thing’s for sure: stuff happens. Email gets bungled.

Organizations are of course vulnerable to their employees fumbling email.

But throw contractors and vendors in the mix, and security has the potential to get ever more sieve-like. It would be nice to think that outsourcing something like benefits administration would also entail outsourcing the angst over potential data loss, but that’s a pipe dream.

A while back, Naked Security ran a series on how to assess a third-party vendor’s security practices. Part 1 has tips that should help you gain a valuable insight into a vendor’s security practices, and part 2 takes a look at how to assess security functionality in vendors’ apps: namely, which features can help you configure a given solution in a secure manner.