When an employee of J.M. Smucker needed assistance on a human resources project, the employee e-mailed the data to a relative who’s a computer programmer for help. Unfortunately, although the programmer’s server is reportedly a secure server, the programmer is not an employee of Smucker’s.
Smucker discovered the breach itself through its own monitoring, and the incident resulted in the company notifying almost 6,000 employees and some dependents that their personal information including SSN and tax data had been exposed outside the company. The firm offered those affected free credit monitoring services. In addition to those expenses, they also had to deal with the programmer’s firm to enlist their cooperation in containing the problem and deleting the data, they brought in the FBI to investigate, and they hired a third party to assess the employee’s home computer to ensure that there was no other personal data floating around.
Details of what happened and the steps the firm took can be found in their notification to the New Hampshire Attorney General’s Office.
All in all, it sounds like this employee error could be a useful example for IT heads to use as a cautionary tale as to what it can cost a firm if an employee means well, but doesn’t follow company security policies.