November 13, 2019//Tony HowlettLast Updated: November 19, 2020
News broke this week that Marriott International, the holding company for the Marriott chain of hotels, has personal data over 1500 of its associates exposed by a breach at a former vendor. This comes on the heels of a customer data breach they suffered covering dates starting in 2014 and spanned all the way to 2018 and included over 500 million customer records. The breach itself contained sensitive information such as names, addresses, date of birth, and in some cases, passport numbers and credit card numbers. That massive hack was widely reported and is one of the largest data breaches in history, however, most outlets treated this news with a “so what” attitude. With all the major breaches that happen almost daily, this one can seem like back page news. As both professionals and consumers, our senses are dulled by the constant onslaught of multi-million record breaches. Notices in the mail that our credit card needs to be replaced due to a breach can bring a resigned sigh rather than panic and outrage. And in this case, Marriott was not directly at fault. A third-party vendor who has been identified as Corporate Creations, ironically a compliance and reporting vendor, was actually the entity that got hacked and exposed Marriott’s data. So, it is tempting to give them a pass on this one and move on to the next bigger, more sensational incident. Here’s why we shouldn’t do that.
There is a tendency when an incident is caused by a third-party to only blame the vendor. After all, they’re technically the one that got hacked, not the poor, victim company that collected your data! They often issue press releases trying to wash their hands of it and implicating the third-party as the bad actor. This is both disingenuous from a corporate responsibility standpoint and also typically statutorily irrelevant. Nearly all enterprises these days use vendors that handle at least some of their customer’s data. Salesforce, Gsuite Apps, and Office 365 are just some examples of third parties that hold vast amounts of customer data for companies. However, most regulations hold the collecting party responsible, regardless of how the information got out. If they are not diligent in putting in place solid, ongoing vendor management programs, using technical solutions, such as vendor privileged access management (VPAM), to secure vendor access, and following it up with good oversight and audit, then the sins of the vendor should be considered, at least partially, as the sins of the company.
And given that this was a former vendor, it also begs the question of what are the rights and responsibilities of corporations to remove customer data left on previous vendor systems. While privacy legislation, such as GDPR and CCPA, clearly lays out the rights of consumers to ask a company to “forget” or erase their data when they leave, enterprise rights are not as clear on this matter. It should certainly be a best practice of good vendor management to properly “offboard” outgoing vendors by requesting that all company data be removed from the vendor systems. And hopefully, they agree and comply. At least then, when a breach happens, the company will have clear recourse to pursue civil penalties when a breach causes them damage. Regardless, we need to start holding companies who collect and process our data accountable for what happens to it, even when it’s via a third-party vendor. This will cause enterprises of all sizes to take vendor risk management more seriously to avoid these incidents in the first place.
To learn more about vendor management platform options, check out our brochure that lists out some of the most popular options. Our brochure highlights the importance of having a separate software platform specifically to manage vendors’ privileged access to systems, networks, and applications to combat against third-party data breaches and more.