How one Boeing employee exposed the personal data of 36K coworkers

Dive Brief:

  • The private details of 36,000 Boeing employees was put at risk after a Boeing employee emailed the an excel spreadsheet containing the data to his spouse, who is not a Boeing employee, to ask for help formatting the document, according to a letter Boeing sent to Washington State Attorney General Bob Ferguson.
  • The letter states that the employee wasn’t aware that the Microsoft Excel file he emailed had personal data for 36,000 of his coworkers, including employees names, place of birth, employee IDs and accounting department codes. In hidden fields, the spreadsheet also included social security numbers and employees' date of birth, according to the letter. 
  • Once Boeing found about the incident, it conducted "a forensic examination of both the Boeing employee’s computer and the spouse’s computer to confirm that any copies of the spreadsheet have been deleted." according to the letter. The employee and his spouse confirmed to Boeing they did not distribute or use any of the information. 

Dive Insight:

Most companies worry about lost laptops and smart phones containing sensitive data. But the Boeing story demonstrates how easily huge amounts of data can be compromised with just one email or lapse in judgment. 

It also demonstrates how security issues can easily arise when data is hidden within a document, or even believed to be deleted. Experts point out that data dragged to the recycle bin on a PC can easily be restored.

Even relying on third parties promising to delete your data is not fail-proof, as many people have found out the hard way. Last month, Dropbox said it accidently restored old files users thought they had deleted. Some users said the deleted files reappeared years after they had deleted them. The company attributed the problem to a bug that prevented some files from being deleted from their servers completely.

The best way to prevent such incidents is education. Boeing says it will require employee training on the best ways to manage personal data and is evaluating the implementation of further privacy controls. The company is also taking extra precautions to ensure employee priuvacy, providing a free, two-year membership to an identity protection service, though it does not believe any employee information was used inappropriately. 

Filed Under: Security Leadership & Careers