Cyber-security breaches occurring via third parties is a trend that is not likely to go away anytime soon.
In the past, companies might have been able to shield themselves from liability by pointing the finger at the third party who lost the data. That excuse doesn’t fly anymore, and there are plenty of recent examples to prove it.
Significant data breaches this year at TikTok/Instagram/YouTube; Australia’s P&N Bank; and General Electric, to name a few, shared a common thread: Hackers managed to enter their systems and steal their data through a cyber-security vulnerability in a third party.
The release of customer information from the social media companies came via a defunct vendor called Deep Social. P&N Bank’s breach happened when criminals accessed customer data through a hosting company that was providing a server upgrade. Hackers successfully launched an email phishing scam against employees at a third party to gain access to GE employee information.
Regulators, particularly those in the European Union enforcing the General Data Protection Regulation (GDPR), have been unforgiving when it comes to third-party breaches. Recent U.K. Information Commissioner’s Office fines against British Airways, Marriott, and Ticketmaster were among the largest under the GDPR this year, and in each case, the companies held accountable said it was their third-party service providers that were at fault.
“You can outsource systems and services all you want, but you cannot outsource your risk.”
- Kelly White, CEO, RiskRecon
“Companies have come to realize that their ecosystem of partners don’t have the same level of protections,” said Andrew Morrison, principal at Deloitte & Touche and leader of the firm’s Cyber Risk Services Strategy, Defense & Response division. The impact of a third-party cyber-security breach, and the risks associated with such breaches, “have increased tremendously,” he said.
Kelly White, CEO of RiskRecon, which provides cyber-security ratings to subscribers on thousands of third parties, summed up the situation like this: “You can outsource systems and services all you want, but you cannot outsource your risk.” If your third party loses your company’s data, he said, the company that owns the data will be found at fault by regulators, partners, customers, and the general public.