• United States




Google suffers data breach via benefits provider

May 09, 20163 mins
Data BreachInternet

google logo privacy big brother
Credit: REUTERS/Francois Lenoir

Data breaches are always a horrible thing when you are on the side that has been tasked with defending the realm from invaders. When you get that email from someone that says, “Oh wow, check out ghostbin” only to discover that your information is on there. To be fair I’ve not lived through that experience but, I have worked at a company in the past where we had a WordPress instance that was popped.

Shocker I know. In that particular situation we had been told several months prior that said WordPress system had in fact been retired and taken offline. Where we fell down rather badly was that we had trusted the support team to have done what they said that they had accomplished.

There are numerous other examples of organizations that get compromised because of something that goes wrong at some point in their digital supply chain. Be it an interconnect or a third party provider, the chance for something to go wrong grows with each additional connection back to your own enterprise. Sometimes, things fail.

Unfortunately, that can happen to anyone. Starting today Google will start sending out notifications to employees about a data breach that occurred at a third party company that they do business with for their benefit management services. In this case a document was sent from that company to the benefits manager at another company according to the breach disclosure notice filed in California. The short story, not Google. An unfortunate turn of events but, as innocent as a mistake like this may be the chances for cascade failures is real.

Some good news in this case is that recipient realized that they weren’t the intended for that particular document and deleted the data and responded back the to benefits company. Lucky for Google as this sort of behavior isn’t all that common and should be commended. Years ago I worked for a firm where an unnamed/unknown party was so disgruntled with the company that they copied all of the source code for a major product release and sent in the mail to the competition. Other than to cause pain I really have no idea what the motivation was in that case. That was a case of malice which don’t occur as often as the “whoops factor”.

How many times have you almost sent an email to the wrong recipient because you and autocomplete enabled in your email client? Think long and hard, I’d hazard everyone has had that at least once. I know I have.

In the Google case, the whoops factor was curtailed and the damage was limited. There were names and Social Insurance Numbers in the document in question but, that didn’t leak beyond that immediate parties according to the breach notification letter which is due out today. Free advice, disable autocomplete in your email clients. I’m not saying that was the case in this instance but, Occam’s razor comes to mind. 

Even though the issue was contained, Google is providing credit monitoring for affected parties. The road to hell is paved with good intentions and the “whoops factor” emails are good for the layer of stone underneath the paving stones.


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author