Blundering Boeing bod blabbed spreadsheet of 36,000 coworkers' personal details in email

Global aerospace firm Boeing earlier this month sent a notification to Washington State Attorney General Bob Ferguson, as required by law, about a company employee who mistakenly emailed a spreadsheet full of employee personal data to his spouse in November, 2016.

The spreadsheet, sent to provide the employee's spouse with a formatting template, contained the personal information of roughly 36,000 other Boeing employees, including Social Security numbers and dates of birth, in hidden columns. Some 7,288 of the affected employees resided in Washington State.

Had the company been using the data loss protection (DLP) software it makes, Boeing might not now be in the position of offering two-year subscriptions to Experian's identity theft protection service to tens of thousands of employees.

Boeing sells a Windows-based DLP application called Cipher, through a partnership with Talisen Technology. "Proprietary or classified information can intentionally or accidentally be included in documents shared with others," Boeing explains in the product literature. "Boeing programmers have created a superior product that can be used to ensure that hidden information is not inadvertently included in and transmitted with a file."

Reached by phone and sounding rather surprised that a reporter would call her directly on the line included in the breach notification, Boeing's deputy chief privacy officer Marie E Olson declined to answer whether the company was using its data protection software in this instance. She suggested taking the issue up with Boeing's corporate communications department.

Not expecting much, The Register asked Boeing's communications department whether the company ate its own security dog food. A company spokesperson said in an email, "We have notified all affected parties about the incident. We believe it is contained and the risk of harm is very low. I don't have anything else to add."

The Register then reached out to Gregory L Smith, a Boeing technical fellow and, as his LinkedIn profile says, "the innovator and developer behind the Cipher software application." Smith explained in a brief phone interview that Boeing has thousands of copies of the software, but that it only mandates the product for classified work.

According to research conducted by IBM and the Ponemon Institute – presumably to incentivize the sale of security software and services – the average cost of a data breach reached $4 million in 2016 and the average cost per record came to $158. For Boeing then, the cost of that spreadsheet might be as high as $5.7 million. ®