EVERETT — A Boeing worker’s decision to email a spreadsheet home to his wife theoretically could cost the company more than $13 million. It also put thousands of his coworkers at risk of identity theft.
The document contained personal information about roughly 36,000 employees at the aerospace giant — including 7,288 living in Washington. The leak likely was caught before any damage was done, the company told Washington Attorney General Bob Ferguson in early February. The notification is required by state law.
Nonetheless, the company is offering affected workers a two-year subscription to Experian’s anti-identity theft service, ProtectMyID. At the retail price of $15.95 a month, that works out to nearly $13.8 million over two years if every affected worker signs up.
The Boeing worker sent a spreadsheet containing workers’ personal information to his wife Nov. 21. He told Boeing investigators that he sent the document “for help with a formatting issue,” Marie Olson, Boeing’s Deputy Chief Privacy Officer, said in the company’s letter to Ferguson.
Plenty of personal information was visible on the spreadsheet, including first and last names, places of birth, employee I.D. numbers and accounting department codes. The document also contained Social Security numbers and dates of birth in hidden columns.
The couple told investigators that they have not used the information or shared it with anyone else. A forensic examination of their computers confirmed that no copies had been made, Olson said in the letter.
Boeing makes a product that might have prevented the leak, which was not discovered until Jan. 9. The Windows-based software, Cipher, is designed to “ensure that hidden information is not inadvertently included in and transmitted with a file,” the company says on its website.
It is not clear if the product was being used by the employee when the leak occurred.
According to his Linked-In profile, Smith helped develop Cipher.
Boeing spokesman Chaz Bickers declined to say if the program was in use at the time.
The company believes the leak “is contained and the risk of harm is very low,” Bickers told The Daily Herald. “We are reviewing our training and controls to minimize the risk of any similar event.”
The company will order further training on proper handling of personal information, according to the notification sent to workers whose information was leaked.
The notification recommended steps they should take to watch for identity theft and included instructions for how to sign up for the two-year Experian service.