3rd Party Data breaches – Don’t let them destroy your business
“A chain is only as strong as its weakest link”, it seems so cliché that most of us have no clue where this phrase originated or pay attention to the truth that it holds.
The original phrase was written by Thomas Reid in his Essays on the Intellectual Powers of Man, 1786, and its simplicity still holds truth today for every information security professional.
If your company’s information security infrastructure is top notch, up to industry recognised best practise standards and also independently assessed to ISO 27001 but you are using a 3rd party company to do anything with your customer’s data, then you had better make sure they are up to scratch. Don’t allow your data to breach because of one weak link.
Marketing, customer care, business intelligence, cloud storage, CRM, loyalty schemes etc. are all examples where companies may outsource a business function to a contractor. Outsourcing can be a good way to bring in different skill sets and to allow you to build stronger relationships with your customer, but can you imagine the damage that would be caused if that contractor lost your client’s data?
This is exactly the case in Ireland over the past two weeks. LoyaltyBuild, a loyalty marketing company that aimed to increase sales and revenues through the delivery of customer relationship products, specifically holidays and weekend breaks, suffered one of the largest data breaches in Europe and certainly the biggest in Irish history. A team from the Irish Data protection commissioners have confirmed that approximately 87,000 Irish residents and a further 1.12 million Europeans have had their names, addresses, phone numbers and email addresses breached.
The story gets worse. It has already been confirmed that several of customers whose data was breached have had money debited from their payment cards. This issue affects some of the largest brands in Ireland with businesses from utilities (ESB), retail (SuperValu, Cleary’s, Centra, Pigsback) and insurance (Axa) being affected.
Details of the cause of this breach have begun to emerge. Loyaltybuild were storing financial information (credit cards, CCV codes, expirary dates) unencrypted in the same location as customer information, implicitly against best practise.
The Irish Data Protection Commissioner, Billy Hawkes, has said the payment card details of up to half a million people across Europe may have been compromised by this data breach.
Under the terms of their contracts with the payment cards providers Loyalty Build were meant to have PCI DSS compliance. It now appears that they did not and their auditors may have ignored or simply over looked this need.
This is just one example of thousands of third-party data breaches that happen every year. It is a growing concern worldwide and one where many businesses seem to have a blind spot. The biggest thing to note from almost all of these cases is that they are avoidable!
With all due diligence, eyes wide open.
Fundamentally we come back to the basics of information security, risk awareness and training. Just because you cannot see what your partners are doing it doesn’t mean that you can ignore or negate any potential risk.
You should be fully aware of what they are doing. How they are doing it and what potential pitfalls they may encounter (with your data!). Training is equally important. Knowing how to recognise risks comes from experience and keeping abreast of industry developments.
Improving vendor management is the secret to creating a successful, fruitful partnership. When choosing to work with a third-party you should take a fresh look at your information security risk register.
What has changed? You should attempt to identify the inherent risks associated with the third-party activity. For instance do they deal with brands that may be the target of online activism (thus causing your data to be caught up in a breach) or perhaps they are a large disliked brand? These kinds of decisions should be taken with eyes wide open so you can make an informed decision. When it comes to price, cheaper can be more costly in the long run. If you can mitigate these new risks and the deal still makes financial sense then there is no reason why you shouldn’t proceed
Another question you need to ask is how will your organisation manage this third-party? What monitoring and evaluation will you do? Allowing a third-party contractor unmonitored access to sensitive data is what caused one of the biggest information security stories of the year when Edward Snowden breached the CIA’s spying plans. Extensive due-diligence should be part of the selection process.
As part of the due diligence you should negotiate written contracts that clearly outline the rights and responsibilities of all parties. Remember to demand the right to audit and do not be afraid to walk away if this clause is refused.
Having a break clause in the contract, a section that allows you to terminate it if the third-party is not fulfilling their parts of the contract, is another must have. You should also consider business continuity if this break clause were to be exercised. What impact would breaking this contract have on your day to day activities?
Right to Audit
The right to audit is a very important idea when exchanging information with anyone. This concept gives you the right to examine and fully evaluate a potential partner’s systems. Specifically, in this instance I am speaking about a contractor’s data security but this can equally extend to partner’s infrastructure. Ensuring that data is available when needed is a key requirement; poorly maintained equipment and lack of investment is one of the primary causes of data loss in business.
This right to audit is an important aspect of any contract where you intend to swap data. If the clause does not exist insist on introducing it. Where it exists you must exercise the option. Your business data is too important to trust in the hands of someone else without due care and attention. If the skills to audit an organisation do not exist in your company then you must hire an expert.
I would even go as far as appraising any contractor’s independently assessment certifications. Transparency is vital and I would welcome any potential business partner of our clients seeking clarification about the scope or stability of any of our clients ISO 27001 management systems.
In 2012 the NHS Trust were fined £325,000 following a data breach where a sub-contractor did not destroy hard drives with patient data on them, rather he sold them on line and hospital data, including the aforementioned patient data found its way into the public domain. Some of this data was hospital employee information including national security data. Other sets included details of patients STD and HIV tests. This shocking data breach was punished with one of the largest fines that year.
Scottish Borders Council was also fined £250,000 for their contravention of the data security rules in 2012. They had hired a contractor to digitize and dispose of their pension records. When these same records appeared as litter in a supermarket car park it promoted a member of the public to call the police. In total 81,000 pension records were breached.
These two cases last year in the UK both share common themes. Both involve data holders who sub-contracted an element of work to a third-party. Both did not monitor this vendor and both suffered substantial fines due to data breaches, the combined fines totalling in excess of half a million pounds.
In both cases the Information Commissioners Office, ICO mentioned that there was no mitigating circumstances in defence of either defendant because they did not “ (a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and (b) take reasonable steps to ensure compliance with those measures. “
This isn’t just a European issue, earlier this year the National Association of Federal Credit Unions (NAFCU) made representations to Congress asking them to hold breached businesses, processors and various third parties accountable, especially where sub-standard information security practices resulted in a data breach.
U.S. banking regulators have stated that they intend to impose regulations on banking institutions and associated businesses to ensure the security standards of the payments processors and vendors that they work with are also up to a recognised industry standard.
This move to ensure “supply-chain continuity” with regards to information security is something that anyone who engages a 3rd party contractor should consider.
Your business should demand that any contractors that will be handing data have the relevant standards for their industry, your industry and are also compliant with all the same standards that your business adheres to.
There is a growing sense that people should be held accountable for losses of data, make sure you do not lose your reputation or even your business to a data breach that was entirely avoidable.
Area of Expertise:
Michael is an expert in the fields of national and international standards and compliance assessment. He has over 15 years’ experience in information security standards for government, military and various business sectors (pharmaceutical, telco, financial, IT and security printing sectors).
Michael Brophy is Founder and CEO of Certification Europe which was founded in 2001 with Head Quarters in Dublin, Ireland. In 2012 Certification Europe Limited opened their London operation which, along with offices in Belfast, Turkey, Japan and Italy, is a group of accredited certification bodies which provides ISO Certification and Inspection services to organisations globally.
Michael is a graduate of the University of Ulster and the Universidad de Zaragoza (Spain), with a Master in European Policy and Regulation at Lancaster University, and is one of Ireland’s leading authorities on standardisation. Michael has a wealth of experience in Information Security and Business Continuity Management Systems implementation for Government, military and various business sectors (pharmaceutical, telco, financial, IT and security printing sectors).
Michael has particular expertise in the field of electronic signatures; developing national legislation and national regulatory bodies to govern the use and legal basis for electronic signatures. He has previously advised on the establishment of standards at a national and international level, and he would be viewed as one of Ireland’s leading authorities on standardisation and has served on various EU Commission committees.
Certification Europe is the only Irish accredited certification body operating in the field of Business Continuity standards, it was the first accredited industry player in Ireland to offer Information Security and IT Service Management Systems assurance schemes, and it is a world leader in Energy Management System certification.
Michael is also Chair of the Association of Accredited Certification Bodies (AACB).
Other articles from Certification Europe include:
– Chasing Shadow IT
– Humans are the weakest part of your information security system