In the Sophos Blog – Naked Security – it has been reported that Google employee data was breached by being inadvertently emailed to the wrong client by a benefits company.
Someone working at the third-party vendor to Google, accidentally breached the employees’ information by sending an email with some sensitive data to a benefits manager in a different company.
On Monday, Google sent a data breach notification to an undisclosed number of employees. That notice was also posted to the Californian Attorney General’s website.
Google is still investigating the breach. But as far as the company can tell at this time, the breached information included the affected employees’ names and taxpayer ID numbers (SSNs). Neither their benefits information nor details on dependents or family members were thought to be involved.
Google has offered employees the standard data breach package: 2 years worth of free identity protection and credit monitoring services. The company also told employees where they can access free credit reports, and it sent employees a reference guide with more tips.
It sounds like Google’s getting off quite lightly here: as a check on access logs show that the benefits manager who received the mis-sent email was the only one who viewed the employees’ information.
She has confirmed that she did not mishandle the sensitive data which she received in error: she states that she didn’t save it, download it, disclose it; or use it in any other way.
Google says that beyond further investigation to “determine the facts,” it’s working with the third-party provider to “ensure that a similar incident doesn’t happen again.”
One thing’s for sure: stuff happens. Email gets bungled.