Early last month, Boeing notified the Washington state Attorney General that personal data on 36,000 of its employees (including 7,288 Washington residents) had been briefly out of the company’s control. The breach had happened in November. Boeing discovered it in January and began notifying the affected employees (offering two years of free credit monitoring) in February.
As far as anyone can tell, there was no harm done. The story should simply be a footnote in the annals of cyber security. But I find it interesting as a snapshot of organizational response to data breaches.
First, a little background on how the breach occurred. A Boeing employee was struggling with the formatting of a spreadsheet containing employee data. He emailed the spreadsheet to his spouse, who does not work for Boeing, to get help. The spreadsheet contained 36,000 employee records with information such as name, birth place, employee ID, and accounting department codes. Hidden columns in the spreadsheet, however, also included birth dates and Social Security numbers. The employee didn’t realize the spreadsheet had this information in the hidden columns.
Both the employee and his spouse confirmed to Boeing that they had not used or distributed any of the information. Nevertheless, Boeing did a forensic examination of both computers to confirm all copies of the file were destroyed. Boeing also promised to provide its employees with additional training “on the proper handling of personal information.”
The notification Boeing sent to Washington’s Attorney General came from the company’s Deputy Chief Privacy Officer, Marie Olson. You can find her letter, and a story about the incident here. Olson’s letter is a comprehensive three-page document explaining what happened, how Boeing handled it, and what the company was saying to affected employees about it. I find it encouraging to know that Boeing has a Deputy Chief Privacy Officer. It turns out she works in Boeing’s Global Privacy Office. That Boeing has a privacy officer probably helps to explain the speed and graciousness with which Boeing handled the breach.
Who knew privacy had become a profession? The International Association of Privacy Professionals (IAPP) was founded in 2000 and has 20,000 members in 83 countries. For the past three years, membership has been growing at an annual rate of 20%. IAPP sponsors an international conference on privacy (the Global Privacy Summit, to be held this year in Washington, DC: April 19-20). It also runs professional certification programs.
It is also now a partner of Logical Operations. Our partnership brings each of IAPP’s certifications, including the Certified Information Privacy Professional (CIPP), Certified Information Privacy Manager (CIPM) and Certified Information Privacy Technologist (CIPT), to Logical Operations’ network of over 3,000 training centers worldwide. Courses are two-day, instructor-led training sessions that include textbooks, participant guides, exam vouchers, and a one-year IAPP membership.
The Boeing incident is a minor glitch in the privacy landscape. Bigger ones occur with depressing regularity. Just last month, Troy Hunt, an application security professional, showed how the database for Cloudpets (stuffed animals that record spoken messages to and from the kids who own them) has been leaking private information on the internet. Cloudpets is a of product Spiral Toys, and according to Hunt, the company’s response to the breach leaves a lot to be desired. If they haven’t already, Spiral Toys may want to consider sending someone for IAPP certification.