A prominent Washington, D.C.-area consulting firm inadvertently published the names, phone numbers, home addresses, and email addresses of thousands of employees of America’s top aerospace and defense contractor.
Publicly available files maintained by the digital consultancy IMGE included extensive personal information on more than 6,000 Boeing employees, from senior executives to program managers to government-relations personnel, and even one executive at the company’s advanced prototyping arm that handles some of its most sensitive—and highly classified—work for the U.S. government.
Those files were removed from public view after inquiries by The Daily Beast. It’s not clear how long they were publicly accessible, though the names of some of the files indicate they were created in early 2018.
Boeing attributed the leak to IMGE in an emailed statement. “This information was exposed as a result of human error by the website’s vendor,” a spokesperson for the company said. “Boeing takes cybersecurity and privacy seriously and we require our vendors to protect the data entrusted to them. We are closely monitoring the situation to ensure that the error is resolved quickly.”
Cybersecurity experts said the information’s public availability was potentially a significant breach of sensitive details about Boeing personnel. “This looks like a textbook example of data leakage,” said Andrew Grotto, the director of Stanford University’s Program on Geopolitics, Technology, and Governance and a former senior cybersecurity official in the Obama White House.
Grotto said the list of Boeing employees would be a gold mine for malicious actors looking to gain access to the company’s computer networks via a tactic such as spear-phishing, which uses deceptive emails that appear to come from legitimate sources to solicit sensitive information or prompt recipients to open malware-laden files. The list of thousands of Boeing email addresses, Grotto said in an email, “gives adversaries who might wish to penetrate Boeing a list of Boeing employees to spear phish, along with email addresses to target.”
“If it’s available on the internet,” Grotto added, “the safe money is on the bad guys finding it.”
The Boeing employees were just some of the nearly 50,000 individuals whose personal information was left publicly accessible on IMGE’s Amazon cloud-storage system. The information was gathered through a Boeing advocacy website called Watch U.S. Fly, which encourages supporters to use its automated system to send emails and letters to and directly call members of Congress asking them to fund various Boeing projects.
IMGE is a prominent Virginia-based political and corporate firm specializing in digital consulting and advocacy. Its website boasts of its work on behalf of a Fortune 25 company, and its list of political clients includes prominent groups such as the National Republican Congressional Committee and the Republican Governors Association.
IMGE did not respond to questions about its involvement with Watch U.S. Fly and the release of Boeing employees’ personal information.
The Watch U.S. Fly website’s “take action” page asks supporters to provide their names along with their phone numbers, home addresses, and email addresses in order to determine which member of Congress to direct their communications to, and so the database of backers can also be activated for future campaigns. The spreadsheets left public in IMGE’s Amazon “bucket,” as the company’s cloud-storage nodes are called, compiled that information, in whole or in part, on the people who’d used the platform to communicate with Congress.
Through its website and social-media pages, Watch U.S. Fly attempts to rally support for favorable congressional action. Its recent projects have included encouraging funding for Boeing’s Chinook helicopter, its Phantom Express satellite-launch system, and the Boeing space-launch system vying with upstart competitor SpaceX for major NASA contracts.
It’s common for companies such as Boeing to enlist D.C. public-relations firms to mount grassroots advocacy campaigns such as Watch U.S. Fly. But the public release of user data collected through that campaign is a rare leak of such extensive personal details on employees at a company deeply involved in U.S. military and aerospace procurement.
The thousands of employees listed in publicly posted IMGE spreadsheets run the gamut in their roles with the company. But some names stand out on the list, including Boeing’s vice president for combat Air Force systems, its vice president of aircraft programs in Saudi Arabia, and a senior manager for strategy and experimentation at Phantom Works, Boeing’s advanced aerospace and defense development arm.
The fact that that information was collected through Watch U.S. Fly also presents a unique cybersecurity vulnerability, said Jake Laperruque, a privacy and surveillance expert with the Project on Government Oversight.
“I think the biggest risk is that a malicious hacker might try to use this info in combination with the fact that all these individuals signed up for this campaign for a phishing attack,” Laperruque said in an email. “So for example, a hacker might send emails or texts to everyone on the list pretending to be Watch U.S. Fly or another Boeing funding campaign, asking individuals to click a link to join another petition.”
Laperruque noted that individual Boeing email addresses are likely information that such a malicious actor could readily obtain. But, he said, “It’s definitely irresponsible for a company to leave this information out in the open where it could be harvested.”
The leak of that information does not include far more sensitive details about individual Boeing employees, such as passwords that would present an immediate threat. But the list of Boeing email addresses does present a ready-made database for potential spear-phishing attempts. And that tactic has been used to devastating effect of late by adversarial foreign governments. It was spear-phishing that got Russian government-backed hackers access to email accounts associated with the Hillary Clinton campaign and the Democratic National Committee in the run-up to the 2016 presidential election.
It’s a risk that Boeing takes steps to address internally. The company’s statement said its employees “annually receive training about privacy and cybersecurity matters, including guidance about how to protect themselves online. In addition, we have implemented technical controls and monitoring to reduce the risk to employees and the company.”
The company appears to recognize the threat posted by spear phishing attacks in particular. When Boeing hosted its first Defense Industry Cyber War Game exercise in 2017, the tactic was one of a number of potential threats it tested.
—With additional reporting by Adam Rawnsley.