A major immigration law firm responsible for screening Google’s recruits from outside the US has confirmed it suffered a breach that exposed the personal details on an untold number of the tech giant’s current and former employees.
First reported by TechCrunch, the firm that was hit—Fragomen, Del Rey, Bernsen & Loewy—was one of the parties responsible for verifying these employee’s Form I-9 files, which Google (along with every other company operating in the US) is required for every new employee they hire in order to ensure they can legally work in the country. Generally, these files contain a ton of sensitive and personally-identifiable details on the worker in question, like their passports, drivers licenses, or birth certificates—all pretty juicy targets for potential bad actors.
Details on the breach are sparse for now, though a notice first sent out to the affected Google employees and later filed with the California attorney general’s office explains that an unidentified “third party” was first caught snooping through a particular file that housed “personal information,” related to the I-9 forms for a “limited number” of current and former Google employees.
The firm declined to name the total number of Googlers affected by the breach, nor did it mention if only files pertaining to Google’s records were hit. That said, it’s worth noting that sample breach notifications like the one filed by Fragomen are required under California law when “more than 500" of the state’s residents have their details swept up as the result of a single breach.
If you’re a Googler (or ex-Googler) who received this unpleasant notice we’d love to hear from you. You can reach me at the Gizmodo email in my signature, or via Twitter DM.
We’ve reached out to both the firm and Google for comment, and will update this piece when we hear back.