The Vermont Office of the Attorney General disclosed a data breach at **Pratt & Whitney Engine Services (PWES)** on **November 16, 2023**, caused by **improper folder permissions on file servers**. The incident exposed sensitive **personal information**, including **dates of birth, Social Security numbers, and health data** of affected individuals. While the breach was internal—with only **PWES employees accessing the data**—the exact number of impacted individuals remains **undetermined**. The exposure of such highly sensitive details, particularly **health and financial identifiers**, poses significant risks, including potential identity theft, fraud, or misuse of personal records. The breach underscores vulnerabilities in access controls, raising concerns about the company’s data governance and the protection of employee and possibly customer information. No evidence suggests external malicious actors were involved, but the **unauthorized internal access** itself constitutes a serious lapse in security protocols.
TPRM report: https://www.rankiteo.com/company/pratt-&-whitney
"id": "pra133082125",
"linkid": "pratt-&-whitney",
"type": "Breach",
"date": "10/2023",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Aerospace/Defense (Engine Services)',
'location': 'Vermont, USA',
'name': 'Pratt & Whitney Engine Services (PWES)',
'type': 'Subsidiary/Business Unit'}],
'data_breach': {'data_exfiltration': 'Unlikely (believed to be accessed only '
'by PWES employees)',
'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': ['date of birth',
'social security '
'numbers'],
'sensitivity_of_data': 'High (includes SSNs and health '
'information)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'protected health information '
'(PHI)']},
'date_publicly_disclosed': '2023-11-16',
'description': 'The Vermont Office of the Attorney General reported a data '
'breach involving Pratt & Whitney Engine Services (PWES) on '
'November 16, 2023. The breach was caused by improper folder '
'permissions on file servers, exposing personal information '
'such as date of birth, social security numbers, and health '
'information. It is believed that only PWES employees accessed '
'the data. The number of affected individuals is currently '
'unknown.',
'impact': {'data_compromised': ['date of birth',
'social security numbers',
'health information'],
'identity_theft_risk': 'Potential (due to exposure of SSNs and '
'personal data)',
'systems_affected': ['file servers']},
'investigation_status': 'Ongoing (number of affected individuals unknown)',
'post_incident_analysis': {'root_causes': 'Improper folder permissions on '
'file servers'},
'references': [{'date_accessed': '2023-11-16',
'source': 'Vermont Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': ['Vermont Office of the '
'Attorney General']},
'response': {'communication_strategy': 'Public disclosure via Vermont Office '
'of the Attorney General'},
'title': 'Data Breach at Pratt & Whitney Engine Services Due to Improper '
'Folder Permissions',
'type': 'Data Breach',
'vulnerability_exploited': 'Improper folder permissions on file servers'}