General Dynamics Corporation (GD) has informed Maine residents of a data breach involving unauthorized access to employee benefits accounts. The breach, discovered on October 10, 2024, was traced back to a malicious phishing campaign. Employees were lured to a fraudulent login site that mimicked the legitimate third-party portal used to access their benefits accounts. By submitting their credentials to the fake site, employees unknowingly provided attackers with access to their personal and sensitive information.
GD immediately took steps to contain the incident, including hiring a forensics firm to investigate the breach and determine its scope. The investigation revealed that the unauthorized actor had altered direct deposit information for certain employees’ benefits accounts. The exposed data potentially includes sensitive personal details, such as names, dates of birth, social security numbers, government-issued identification numbers, bank account information, and disability status.
To mitigate the impact, GD swiftly notified the affected employees whose bank account information was changed starting from October 10, 2024. The company also sent formal notices of the incident to individuals with a Maine mailing address beginning December 23, 2024. The notices include information about the breach, the data potentially exposed, and the steps GD is taking to protect the affected employees’ data.
At present, GD has identified two records involving Maine residents, triggering the notification requirement under Maine’s data breach law. While GD has worked to contain the breach and resolve the issue, the incident highlights the growing risk of phishing attacks targeting employees and the critical importance of cybersecurity awareness and vigilance in preventing similar breaches in the future.