Boeing Insider Data Breach Serves as Reminder for HR

Train employees on proper data security protocols, experts say

Aliah D. Wright By Aliah D. Wright March 10, 2017
Boeing Insider Data Breach Serves as Reminder for HR

​He couldn't format a spreadsheet.

So he sent it to his spouse for help, ultimately causing a breach that could have exposed the personal data of 36,000 Boeing employees in four states, according to a report by The Associated Press (AP).

This is a good reminder of why HR needs to ensure employees are trained on proper data security measures.

The Boeing employee told investigators that he didn't know the spreadsheet contained sensitive data. AP reported that names, ID numbers and accounting codes were in visible columns "and birth dates and Social Security numbers [were] in hidden columns." This may be why he wasn't aware he was sharing confidential material.

Chicago-based Boeing, a multinational company that designs, manufactures and sells rockets, satellites, airplanes and rotorcraft, sent a letter to Washington State Attorney General Bob Ferguson in February notifying him of the breach. Nearly 8,000 Boeing employees in Washington had their data exposed. It wasn't immediately clear if Boeing notified attorneys general in the other three states or which states those employees worked in.

The breach occurred in November 2016, but Boeing only became aware of it in January. It then notified employees by letter and offered them free credit-monitoring services. The company reportedly said it destroyed copies of the spreadsheet and it doesn't think any of the information was misused.


[SHRM members-only HR Q&A: Much of our employee data is now electronic and is accessible via the Internet and mobile devices. What are some best practice approaches to safeguard this information?]


Employee error is to blame for most data security breaches, according to a study by U.K.-based information security company Egress Software Technologies. "Human error actually accounted for nearly two-thirds of security compromises, far exceeding causes like insecure websites and hacking," study authors wrote.

Why HR Should Mandate Security Training

According to the Association of Corporate Counsel (ACC) Foundation, fewer than half of in-house counsel (45 percent) said their organizations require employees to take training on how to prevent cybersecurity breaches.

"HR has a tremendous opportunity" to educate employees about good cybersecurity habits, said Amar Sarwal, vice president and chief legal strategist for the ACC, in an interview with SHRM Online in January 2016.

"HR can be right at the center of this," Sarwal said.

In addition, HR can train employees to turn to their IT departments for help with technology issues—instead of turning to a third party (like their spouse).

"Readable and effective policies can be used in conjunction with effective employee training to reduce data security incidents caused by human error," SHRM Online reported in June 2016.

Training employees about security policies only yearly, or only when they're new on the job, isn't enough, said Stu Sjouwerman, CEO of Clearwater, Fla.-based KnowBe4, which makes security awareness training and simulated phishing platforms.

"To be most effective, use anti-phishing tools to frequently test employees on a variety of … subjects, then follow up with remedial training for anyone who fails," he said.

Sjouwerman also recommended that employers:

  • Limit who is able to access sensitive data.
  • Limit access to data on a need-to-use or need-to-know basis.
  • Use multifactor authentication to help prevent unauthorized access and to help identify unauthorized users.
  • Frequently change passwords.


Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.



Hire the best HR talent or advance your own career.


HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.