Businesses today have more third parties touching their confidential data than ever before: an average of 583. Fifty-nine percent of respondents said they have experienced a data breach thanks to one of their third parties. Forty-two percent had experienced such a breach within the last 12 months.
As many as 500 million people who made reservations at Starwood properties may have had their personal information accessed in a breach that lasted as long as four years. An unauthorized party had copied and encrypted information from the database and had taken steps toward removing it, Marriott says.
A hacking affecting Atrium billing vendor AccuDoc may have affected as many as 2.65 million people, Charlotte-based Atrium said. Of those, about 700,000 patients may have had Social Security numbers compromised, according to Atrium.
According to the Opus and Ponemon study, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent — up 5 percent over last year’s study and a 12 percent increase since 2016.
Third-party vendors are turning into a key challenge because third-party risks have been neglected for far too long, even though they come with many associated risks.
Third parties continue to pose risks to healthcare providers. Third-party breaches accounted for 1.34 million patient records being breached in the third quarter of 2018.
On October 4th, Pentagon officials were alerted to a data breach that affected its personnel. Unauthorized hackers gained access to personal information and credit card numbers. The data was accessed via a system that maintained travel records. That system was not operated by the Department itself but an unnamed third party contractor.
According to a press release from Tyler, TX Monday, the city was notified that an unknown third-party was able to gain access to payments made through the system the City uses to collect payments for utilities and municipal court fines and fees.
A previously unnamed U.S. energy company that agreed to a record $2.7 million settlement after it left 30,000 records about its information security assets exposed online for 70 days in violation of energy sector cybersecurity regulations has been named as California utility PG&E.
This year’s headlines have featured a number of high-profile exposures caused by third parties working on behalf of major brands.