Can you afford a third-party data breach?

July 31, 2019//Ellen Neveux

Last Updated: April 30, 2020

The lowdown on keeping your data secure: Select Restaurant, PG&E, LabCorp, Quest Diagnostics, and Capital One 

The past few years have been filled with data breaches, cyberattacks, and unauthorized access. With all of these cyberattacks happening, it makes it feel like a new company falls victim each day.

In 2017, Select Restaurants left customers’ sensitive information – including name, card number, expiration date, and CVV– on the table. The company, which manages 12 seafood restaurants across the US, was alerted to the hack by their point of sale (POS) vendor. Further investigation showed a data breach across all of the restaurant locations, stemming from a third-party network intrusion. According to Upserve’s comprehensive list of compromised restaurants cyberattacks on POS systems and vendors are quite common in the restaurant industry because these systems aren’t as secure as they could, or should, be.

In early 2018, an unnamed utility company was fined $2.7 million for leaving 30,000 records about its information security assets exposed online for 70 days back in 2016. Just this week, it was released that this company was Pacific Gas & Electric Company (PG&E). According to Data Breach Today, this breach happened after a third-party contractor had improperly copied data from the utility network to their own network.

In June of 2019, both LabCorp and Quest Diagnostics experienced third-party data breaches that exposed 7.7 million and 11.9 million records, respectively. Included in the exposed records were names, date of birth, address, phone number, date of service, and more, according to TechCrunch, and ranged from August of 2018 until March of 2019. Both breaches were caused by a hacker that gained access to American Medical Collection Agency’s (AMCA) system, who is a third-party that the two companies have in common.

Continuing with the trend of data breaches in 2019, Capital One announced a third-party data breach that exposed the names, addresses, phone numbers, emails, dates of birth, and self-reported incomes of approximately 100 million Americans, and 6 million Canadians, due to a “configuration vulnerability” in the servers of an unnamed cloud computing company, their vendor, that hosts the bank’s data.

Are you next?

These events highlight the multitude of data breaches that occur every day (remember Tesla, Ford, and the Ticketmaster breach), which leads us to ask this question– how secure is your data, especially when it comes to your third-party vendor access?

Have you considered the consequences of becoming susceptible to a data breach or ransomware attack? In a Ponemon Institute and IBM study, they reviewed the current Cost of a Data Breach. After a 10-month process of interviewing 1,500 people across 383 companies around the globe, the report concluded that the average cost of a data breach is $4 million, which is up 29% since 2013.

Three ways to keep your data secure:

  • Evaluate your vendors: Just one unregulated third-party could allow a hacker access to your entire network. It is important to be selective when choosing your vendors.
    • Determine what data each of your vendors needs access to.
    • Confirm that the internal assessments and controls of your vendors align with your organization’s assessments and controls.
    • Confirm that your vendors have strong security policies and procedures in place to ensure your company is in compliance with the latest regulatory requirements.
  • Enforce strong reporting and auditing: To ensure visibility of your vendors’ actions, regular security audits and in-depth report logs are imperative. It is important to monitor the “who/what/when/where” of every individual accessing your network. By monitoring and tracking all movements on your network, you’ll be able to detect vulnerabilities and weaknesses immediately – and address them swiftly.
  • Ensure powerful controls: By analyzing your vendors’ security protocols, you can make sure your company’s security requirements are being met. Ensuring you have granular levels of control over the degree of access you grant each of your vendors – and what data specific individuals can see on your network – will help keep your data secure. Gaining complete control of your vendors’ access will minimize your exposure to third-party data breaches.

With a 26% chance of a data breach occurring over the next 24 months, can you afford to take that risk? Securing all third-party access to your company’s network will keep your data secure and ensure you avoid the associated financial, reputational, and regulatory risks.

close close